AEPD (Spain) - PS-00085-2024
From GDPRhub
| AEPD - PS-00085-2024 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 4(1) GDPR Article 4(2) GDPR Article 4(7) GDPR Article 4(12) GDPR Article 5(1)(f) GDPR Article 6(4) GDPR Article 14 GDPR Article 21 GDPR Article 58(2) GDPR Article 83(2) GDPR Article 83(5) GDPR Article 83(6) GDPR Article 112(1) LPACAP Article 118 LPACAP Article 14 LPACAP Article 41 LPACAP Article 43 LPACAP Article 47 LOPDGDD Article 48(1) LOPDGDD Article 63(2) LOPDGDD Article 64(2) LOPDGDD Article 64(2) LPACAP Article 65(4) LOPDGDD Article 68(1) LOPDGDD Article 72 LOPDGDD Article 76(2) LOPDGDD Article 85 LPACAP Article 85 LPACAP |
| Type: | Complaint |
| Outcome: | Other Outcome |
| Started: | 18.04.2024 |
| Decided: | |
| Published: | 10.05.2024 |
| Fine: | n/a |
| Parties: | Comunidad de Proprietarios R.R.R. A.A.A. |
| National Case Number/Name: | PS-00085-2024 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | isabela.maria.rosal |
The Spanish DPA settled a complaint against the data controller after the conclusion of an agreement for the possible breach of Article 5(1)(f) GDPR. The case was finalized after the payment of a reduced value of the foreseen fine.
English Summary
Facts
The data subject submitted a complaint against the data controller, a legal entity representing the community of residents, for sharing with all members of the community a document with individualized heating consumption. Since the information would identify the number of each house, it was considered that the document held personal data. The Spanish DPA, then, proposed an agreement with the data controller for the payment of a reduced amount of the foreseen fine, considering the likelihood of the data breach.
Holding
The Spanish DPA finalized an agreement with the data controller after the start of an investigation of a probable infraction to Article 5(1)(f) GDPR. The alleged and possible GDPR breach was connected to the controller message sent to all community residents with individualized information about their heating consumption. Since this information is considered personal data, it could be understood as an illegal sharing of personal information.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/9
File No.: EXP202304214
RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE
VOLUNTEER
From the procedure instructed by the Spanish Data Protection Agency and based
to the following
BACKGROUND
FIRST: On April 18, 2024, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against COMUNIDAD DE
OWNERS R.R.R. (hereinafter, the claimed party), through the Agreement that
is transcribed:
<<
File No.: EXP202304214
AGREEMENT TO START SANCTIONING PROCEDURE
Of the actions carried out by the Spanish Data Protection Agency and in
based on the following
FACTS
FIRST: A.A.A. (hereinafter, the complaining party) dated September 15,
2023 filed a claim with the Spanish Data Protection Agency. The
The claim is directed against COMMUNITY OF R.R.R. OWNERS. with NIF
***NIF.1 (hereinafter, the claimed part). The grounds on which the claim is based
are the following:
Complaints for having sent all community members an email, on the occasion
of the next owners meeting, where a list of consumption is attached
Individualized heating month by month, identified by floor and letter.
A copy of the list received is provided along with the claim.
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was transferred to the claimed party, to
to proceed with its analysis and inform this Agency within a period of one month, of the
actions carried out to adapt to the requirements provided for in the regulations of
Data Protection.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/9
The transfer, which was carried out in accordance with the rules established in Law 39/2015, of
October 1, of the Common Administrative Procedure of Administrations
Public (hereinafter, LPACAP), was collected on 04/11/2023 as stated in the
acknowledgment of receipt that appears in the file.
On 04/27/2023, this Agency received a written response indicating between
other things the following:
“…in 2019 and following the installation of heating cost allocators,
Several owners requested the sending of the list of consumption, in order to
justify and prove the reduction in costs after it, due to the continuous
complaints from several neighbors about it.
With this list it was justified and proven that in most of the
housing was paid the same or less than previously to delivery drivers
costs…
One of the assumptions contemplated by the General Data Protection Regulation
that legitimizes the processing of personal data is the satisfaction of the legitimate interest
alleged by the person responsible or a third party. We believe that this interest would be applied in
this assumption by announcing the savings that the installation of delivery drivers
costs it has meant for the owners.”
THIRD: On 08/22/2023, the proceedings were filed since,
of the actions carried out and the documentation in the file, it is not
inferred the existence of an infringing action by the claimed party in the area
jurisdiction of the AEPD, so the claim was filed.
FOURTH: On 09/05/2023, the complaining party requested a copy of the file that
It was sent on 09/06/2023.
FIFTH: On 09/15/2023, the claimant filed an appeal for reconsideration
in which he alleges that an error has occurred in the legal classification of the facts
reported, that there has been an absence of investigative activity on the part of the AEPD,
that individualized energy consumption data for each supply point
may be considered personal data insofar as it refers to a
identifiable person, that the data protection regulations have been breached in their
articles 14, 6.4 and 21 among others of the RGPD. Requests the annulment of the resolution of
file and that an investigative phase be opened, that a correct qualification be made
legal nature of the reported facts, that the illegality of the actions of the
claimed party and that the repetition of the reported treatment in the future is prohibited.
SIXTH: On 01/03/2024 and in accordance with the provisions of article 118 of
the LPACAP, the requested party was granted a hearing procedure, attaching the
documentation provided by the appellant, so that, within a maximum period of ten
business days, will formulate the allegations and present the documents and supporting documents that
deemed appropriate.
The transfer of the hearing procedure, which was carried out in accordance with the regulations
established in the LPACAP, was collected on 01/12/2024 as stated in the
acknowledgment of receipt that appears in the file.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/9
On 01/19/2024, this Agency received a response letter indicating between
other things the following:
“Agree with the resolution of the AEPD, which supports and legitimizes the
sending a list, the object of this appeal, made by the Community of
Owners Paseo de Yeserías 33, due to the request of several owners, including
the vice president, due to the continuous complaints that there were after the installation of the
heating cost allocators. With this list it was justified and remained
proven that in the majority of the homes they paid the same or less than with
prior to the cost allocators. We emphasize that sending the listing
"It only had the purpose of satisfying the legitimate interest alleged by the person responsible."
SEVENTH: On 02/08/2024, the appeal for reconsideration filed by
A.A.A. against the resolution of this Agency issued on August 22, 2023,
which agreed to file the claim referred to the COMMUNITY OF
R.R.R. OWNERS, in order for the processing to continue.
The notification, which was carried out in accordance with the rules established in the LPACAP, was
collected on 02/09/2024 as stated in the acknowledgment of receipt that is in the
proceedings.
FOUNDATIONS OF LAW
Yo
Competence
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
LOPDGDD, is competent to initiate and resolve this procedure the Director of the
Spanish Data Protection Agency.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."
II
Previous issues
Analyzing the issue, STS 2484/2019 of the Contentious-Administrative Chamber
(SAN 1711/2018) establishes in its Third Legal Foundation in fine that: “[…]
We estimate that the measurements referring to the individual consumption of electrical energy
associated with each supply point and its code, which the distribution companies
are obliged to send to the system operator, as soon as they contain information
concerning the behavioral habits of an identifiable natural person, are data
personal (art. 2.a) of Directive 95/46/EC and art. 3.a) of the Organic Law of
Data Protection 15/1999, of December 13), and, as such, are
protected by the guarantees established by data protection regulations.”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/9
Therefore, extrapolating to the energy consumption of each resident, it should be noted that
These data are protected by data protection regulations.
In the present case, in accordance with the provisions of article 4.1 and 4.2 of the RGPD,
involves the processing of personal data, since the party
claimed carries out the collection, registration, organization and conservation of, among others,
the following personal data of natural persons: name, identification number
and location data, among other treatments.
The claimed party carries out this activity in its capacity as responsible for the
treatment, given that it is the one who determines the purposes and means of such activity, by virtue
of article 4.7 of the GDPR.
Article 4 section 12 of the GDPR broadly defines “violations of
security of personal data” as “all those security violations
that cause accidental or unlawful destruction, loss or alteration of data
personal data transmitted, preserved or otherwise processed, or the communication or
unauthorized access to said data.”
III
Principle of integrity and confidentiality
Article 5.1.f) “Principles relating to processing” of the GDPR establishes:
"1. The personal data will be:
(…)
f) processed in such a way as to ensure adequate data security
personal data, including protection against unauthorized or unlawful processing and against
its loss, destruction or accidental damage, through the application of technical measures
or organizational arrangements (“integrity and confidentiality”).”
In the present case, it is clear that the personal data of the complaining party,
considering gas consumption as personal data (as has been
argued in the previous foundation), have been unduly exposed to all
the community members, since they have been sent by email as a report, previously
to the holding of the Meeting, which shows the month-by-month heating consumption
individualized, through the floor/door indicator, of each and every one of the
neighbors, resulting in a loss of confidentiality.
In accordance with the evidence available in this agreement of
initiation of the sanctioning procedure, and without prejudice to what results from the
instruction, it is considered that the known facts could constitute a
infringement, attributable to the claimed party, due to violation of article 5.1.f) of the
GDPR.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/9
IV
Classification of the violation of article 5.1.f) of the RGPD
If confirmed, the aforementioned violation of article 5.1.f) of the RGPD could mean the
commission of the infractions classified in article 83.5 of the RGPD that under the
The section “General conditions for the imposition of administrative fines” provides:
“Infractions of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or,
In the case of a company, an amount equivalent to a maximum of 4% of the
global total annual business volume of the previous financial year, opting for
the largest amount:
a) the basic principles for the treatment, including the conditions for the
consent under articles 5, 6, 7 and 9; (…)”
For the purposes of the limitation period, article 72 “Infringements considered very
“serious” of the LOPDGDD indicates:
"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that involve
a substantial violation of the articles mentioned therein and, in particular, the
following:
a) The processing of personal data violating the principles and guarantees
established in article 5 of Regulation (EU) 2016/679. (…)”
V
Proposed sanction for violation of article 5.1.f) of the RGPD
For the purposes of deciding on the imposition of an administrative fine and its amount,
in accordance with the evidence currently available
agreement to initiate the sanctioning procedure, and without prejudice to what results from the
instruction, it is considered that the balance of the circumstances contemplated in the
article 83.2 of the RGPD and 76.2 of the LOPDGDD, with respect to the infringement committed
By violating the provisions of article 5.1.f of the RGPD, it allows initially setting a
fine of €600 (six hundred euros).
V
Adoption of measures
If the violation is confirmed, in accordance with the provisions of the aforementioned article 58.2 d)
of the RGPD, according to which each supervisory authority may “order the person responsible or
processor that the processing operations comply with the
provisions of this Regulation, where applicable, in a certain manner
and within a specified period…”, in the resolution that is adopted, it may be
require the claimed party to prove to this party within a period of one month
Agency to adopt the necessary measures to prevent the data from being disseminated
personal data related to gas consumption, without prejudice to others that could
derived from the procedure instruction.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/9
It is warned that failure to comply with the possible order to adopt measures imposed by
This body in the sanctioning resolution may be considered as a
administrative offense in accordance with the provisions of the RGPD, classified as
infringement in its article 83.5 and 83.6, and such conduct may be motivated by the opening of a
subsequent administrative sanctioning procedure.
Therefore, in accordance with the above, by the Director of the Agency
Spanish Data Protection,
HE REMEMBERS:
FIRST: START SANCTIONING PROCEDURE for the COMMUNITY OF
OWNERS R.R.R., with NIF ***NIF.1, for the alleged violation of Article
5.1.f) of the RGPD, typified in Article 83.5.
SECOND: APPOINT B.B.B. as instructor. and, as secretary, to C.C.C.,
indicating that they may be challenged, if applicable, in accordance with the provisions of the
articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Sector
Public (LRJSP).
THIRD: INCORPORATE into the sanctioning file, for evidentiary purposes, the
claim filed by the complaining party and its documentation, as well as the
documents obtained and generated by the General Subdirectorate of Inspection of
Data in the actions prior to the start of this sanctioning procedure.
FOURTH: THAT for the purposes provided for in art. 64.2 b) of the LPACAP, the sanction that
could correspond would be 600 euros, without prejudice to what results from the
instruction.
FIFTH: NOTIFY this agreement to the COMMUNITY OF OWNERS
R.R.R., with NIF ***NIF.1, granting a hearing period of ten business days to
to formulate the allegations and present the evidence that it considers appropriate. In
Your written allegations must provide your NIF and the file number that appears.
in the heading of this document.
If within the stipulated period you do not make allegations to this initial agreement, the same
may be considered a proposal for a resolution, as established in the article
64.2.f) of the LPACAP.
In accordance with the provisions of article 85 of the LPACAP, you may recognize your
responsibility within the period granted for the formulation of allegations to the
present initiation agreement; which will entail a 20% reduction in the
sanction that may be imposed in this procedure. With the application of this
reduction, the penalty would be established at 480.00 euros, resolving the
procedure with the imposition of this sanction.
Likewise, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/9
will mean a 20% reduction in the amount. With the application of this reduction,
The penalty would be established at 480.00 euros and its payment will imply the termination of the
procedure, without prejudice to the imposition of the corresponding measures.
The reduction for the voluntary payment of the penalty is cumulative with that corresponding
apply for recognition of responsibility, provided that this recognition
of the responsibility becomes evident within the period granted to formulate
allegations at the opening of the procedure. The voluntary payment of the referred amount
in the previous paragraph may be done at any time prior to the resolution. In
In this case, if both reductions were to be applied, the amount of the penalty would remain
established at 360.00 euros.
In any case, the effectiveness of any of the two mentioned reductions will be
conditioned upon the withdrawal or waiver of any action or appeal pending.
administrative against the sanction.
In the event that you choose to proceed with the voluntary payment of any of the amounts
indicated above 480.00 euros or 360.00 euros, you must make it effective
by depositing it into the IBAN account number: ES00-0000-0000-0000-0000-0000
(BIC/SWIFT Code: CAIXESBBXXX) opened in the name of the Spanish Agency of
Data Protection in the banking entity CAIXABANK, S.A., indicating in the
concept the reference number of the procedure appearing in the heading
of this document and the reason for the reduction in the amount to which it applies.
Likewise, you must send proof of income to the General Subdirectorate of
Inspection to continue the procedure in accordance with the quantity
entered.
The procedure will have a maximum duration of twelve months from the date
of the initiation agreement. After that period has elapsed without it having been issued and notified
resolution will expire and, consequently, the proceedings will be archived;
in accordance with the provisions of article 64 of the LOPDGDD.
In compliance with articles 14, 41 and 43 of the LPACAP, it is noted that, as far as
Subsequently, the notifications sent to you will be made exclusively
electronically, through the Unique Enabled Electronic Address (dehu.redsara.es), and
that, if you do not access them, your rejection will be recorded in the file, considering
the procedure has been carried out and the procedure is followed. You are informed that you can
identify to this Agency an email address to receive the notice
of making notifications available and that the lack of practice of this notice does not
will prevent the notification from being considered fully valid.
Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP,
There is no administrative appeal against this act.
935-18032024
Sea Spain Martí
Director of the Spanish Data Protection Agency
>>
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/9
SECOND: On April 27, 2024, the claimed party has proceeded to pay
the penalty in the amount of 480 euros making use of one of the two reductions
provided for in the Initiation Agreement transcribed above. Therefore, it has not been left
accredited recognition of responsibility.
THIRD: The payment made entails the waiver of any action or resource pending.
administrative against the sanction, in relation to the facts referred to in the
Startup Agreement.
FOURTH: In the initiation Agreement transcribed previously it was indicated that it could
agree to impose on the person responsible the adoption of appropriate measures to adjust his
performance to the regulations mentioned in this act, in accordance with the provisions of the
cited article 58.2 d) of the RGPD, according to which each supervisory authority may
“order the person responsible or in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where applicable,
in a certain way and within a specified period….”
FOUNDATIONS OF LAW
Yo
Competence
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."
II
Termination of the procedure
Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter, LPACAP), under the heading
“Termination in sanctioning procedures” provides the following:
"1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility,
The procedure may be resolved with the imposition of the appropriate sanction.
2. When the sanction has only a pecuniary nature or a penalty can be imposed
pecuniary sanction and another of a non-pecuniary nature but the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/9
inadmissibility of the second, the voluntary payment by the alleged responsible, in
Any time prior to the resolution, will imply the termination of the procedure,
except in relation to the restoration of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.
3. In both cases, when the sanction has only a pecuniary nature, the
competent body to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed penalty, these being cumulative with each other.
The aforementioned reductions must be determined in the initiation notification.
of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of
any administrative action or appeal against the sanction.
The reduction percentage provided for in this section may be increased
“regularly.”
Having proceeded to pay the pecuniary penalty, in accordance
With section 2 of this article, voluntary payment implies the termination of the
procedure, except in relation to the restoration of the altered situation. Therefore,
the imposition of the necessary measures is appropriate to stop the conduct or
correct the effects of the violation.
In accordance with what has been stated, the Director of the Spanish Agency for the Protection of
Data RESOLVES:
FIRST: DECLARE the termination of procedure EXP202304214, of
in accordance with the provisions of article 85 of the LPACAP.
SECOND: ORDER the COMMUNITY OF R.R.R. OWNERS. so that in the
within one month from when this resolution becomes final and enforceable, notify the
Agency the adoption of the measures described in the legal bases
of the Initiation Agreement transcribed in this resolution.
THIRD: NOTIFY this resolution to the COMMUNITY OF OWNERS
R.R.R.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Administrative Litigation Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.
1309-16012024
Sea Spain Martí
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
