AEPD (Spain) - A/00291/2017

From GDPRhub
AEPD - A/00291/2017
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1)(a) GDPR
Article 7 GDPR
Type: Complaint
Outcome: Upheld
Started: 19/06/2017
Decided:
Published: 19.10.2022
Fine: n/a
Parties: n/a
National Case Number/Name: A/00291/2017
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Paola León

The Spanish DPA ordered the removal of a professional resume uploaded on a public Facebook group without the consent of the data subject.

English Summary[edit | edit source]

Facts[edit | edit source]

The data subject's curriculum vitae (CV) had been published on a public and open Facebook group without their consent. The CV included their home address, telephone number and e-mail address, among other personal information. The data subject stated that they were unaware of how the CV came into the hands of the person publishing it (the controller). Although it could have been obtained from websites, such as LinkedIn or Infojobs, their settings only allowed for recruiters to access it. Further, the data subject claimed that, based on a Google search, the controller was the administrator of several companies, therefore they could have used this position to access the CV. The data subject also indicated that the CV could also have been provided by a third party, with whom they had shared it a couple of years ago, when looking for a job.

The data subject submitted a complaint to the Spanish DPA indicating that the controller posted their resume in the same Facebook group several times and stating that they had contacted the Group Administrator and the controller who refused to remove the publication.

The controller presented several arguments in its defence. It claimed that the data subject's resume had been public at all times, considering its availability on portals, such as LinkedIn. Moreover, the controller submitted that the data subject was a public figure, therefore their professional activity was already available to the public. Allegedly, the CV also 'circulated publicly' since a trial involving the data subject. Finally, the controller argued that they were not actually responsible for removing the files, as it should be the task of the Facebook group administrator.

Holding[edit | edit source]

First, the Spanish DPA recalled that data which may appear on a website, according to Article 3(j) of the LOPD, are not considered sources accessible to the public. The fact that the controller provided a copy of said resume in a public trial did not convert said document into a source of public access.

Second, even if it was true that the data subject physically distributed their resume to other people, it did not authorise the controller to disseminate it on Facebook forums or expose it repeatedly. The DPA confirmed that the controller did not collect consent within the meaning of Article 6(1)(a) GDPR for said dissemination.

Third, the DPA noted that freedom of expression must be differentiated from the violation of the fundamental right to data protection. Such a violation occured when uploading a CV not related to the activity of the controller in order to maintain informal contacts on a Facebook group.

Fourth, regarding the allegation that the data subject was a person of public relevance, it was proven that they did not hold any public office. Rather, they have performed actions related to political training. Hence, there was no authorisation for the exhibition of the CV on Facebook without the data subject's consent on repeated occasions.

Firth, the DPA stated that the controller was responsible for uploading the data subject's CV to Facebook on several occasions and as such, violated Article 10 of the LOPD relating to professional secrecy.

In conclusion, the Spanish DPA considered this violation as serious and ordered the controller to remove the file containing the data subject's CV from the Facebook group.

Comment[edit | edit source]

There are two important points that can be extracted from this decision:

1. The definition of public sources as per Article 3(j) of the Spanish Data Protection law

"Sources accessible to the public: those files whose consultation can be carried out by any person, not prevented by a limiting rule or without further requirement than, where appropriate, the payment of a consideration.

They are exclusively considered public access sources, the promotional census, the telephone directories in the terms provided by their specific regulations and the lists of people belonging to groups of professionals that contain only the data of name, title, profession, activity, academic degree, address and indication of their membership in the group. Likewise, official newspapers and bulletins and the media have the character of public access sources."

Thus, the AEDP stated that social media websites can't be considered a public source.

2. A person that publishes someone else's personal data on social media pages without their consent is considered responsible of the treatment and as such is subject to being fined under GDPR and Spanish Data Protection law.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/10




                                                • Procedure No.: A/00291/2017



                            RESOLUTION: R/02928/2017



       In procedure A/00291/2017, instructed by the Spanish Agency for
Data Protection to A.A.A., given the complaint filed by B.B.B. and under
the following,


                                     BACKGROUND



FIRST: On 06/19/2017, this Agency received a document sent
by Don B.B.B., in which he states the following:

       <<On May 16, an individual named A.A.A. made a broadcast
of my resume in a Facebook group, PUBLIC and OPEN, named

"***GROUP 1".

       In said curriculum, in addition to other information, my address, telephone number and
e-mail are perfectly visible, without in any case having been
obtained my consent for said publication.


       In addition, I do not know how it came into the hands of Mr. A.A.A. me
resume, although you could have obtained it from portals such as Linkedin or Infojobs, if
well my advertising settings on both portals prevent my spreadsheet
curriculum is accessible, except for companies demanding personnel. A
Google search allows verifying that Mr. A.A.A. listed as administrator

from various companies, which could have been used to access my data
personal information and, much more serious, spreading them without my consent.

       In the same way, the curriculum could have been provided by Mr. C.C.C., to
whom I myself had provided it to him a couple of years ago, when I was

looking for work, in order to present it to the administrator of your
community of neighbors and with whom he maintained a friendly relationship today turned into
manifest enmity. Mr. C.C.C. and Mr. A.A.A. they are friends with each other.

       Accompanying screenshot of the publication of the curriculum, which can be
verified at the following link, after logging-in on FACEBOOK:


       https://***URL.1. In it, the defendant in conversation with other
people refers to the complainant, who does not appear to participate in any way in the
Group, since “(...)”, or “(...)”


SECOND: Dated ***DATE.1, there is an Inspection Procedure in which the
verifies that the reported information is still accessible on the internet.




28001 – Madrid 6 sedeagpd.gob.es 2/10




THIRD: On 09/04/2017, an extension to the complaint was received from the
complainant. He states that A.A.A.. has re-disseminated his curriculum in the group of
FACEBOOK “***GROUP.1”. This group is accessed by request and has
over 7,000 members. He states that he contacted the Administrator of the
Group and contacted the reported user, refusing to do so Aporta

copy that ratifies it and in which the defendant refuses to withdraw it. In the
resume inserts, the complainant alludes again in conversation, again
to the creator of “photoshops”

FOURTH: The complainant files a third extension of his complaint on
09/14/2017. It states that the defendant has made eight new broadcasts of his

data, on the FACEBOOK channels: “***GRUPO.1” and “***GRUPO.1”. Contribute
screen printing of 09/7 and 14/09/2017, in which it can be seen that on the
printing of the curriculum on one side, ***GROUP.1 is indicated and on another screen the curriculum
of the complainant with his photo. Is another screen print dated 09/08/2017, with the
same curriculum on page ***GROUP.1. Also on the same page is

exposed in other hours of the same day the same curriculum. It also indicates that he asked the
Administrator remove said file, indicating that it had already removed some
files, providing a screen print copy in this regard. The expressions that
accompanies the defendant to the insertion of the curriculum in conversation with others, without
record that the complainant does so with expressions such as “(...)”, reiterating the
insertion with “(...)”, “the author”, or “for the moment that serves as a reminder”


FIFTH: Consultation of the AEPD application that manages the consultation of
history of sanctions and previous warnings, the accused is not
there are previous records.

SIXTH: On 09/29/2017, the Director of the Spanish Agency for the Protection of

Data agreed to submit this proceeding to a prior hearing.
warning A/00291/2017 for infringement of articles 6.1 and 10 of the LOPD, for
part of AAA, typified as serious in articles 44.3.b) and 44.3.c) of the LOPD.


SEVENTH: On 10/18/2017, the defendant filed allegations indicating:


    1) The complainant's resume has been public at all times. Your data is
       published on public portals such as LINKEDIN or INFOJOBS, which
       It considers it as a “public access source” and it expresses it. It is not
       true that you have obtained the complainant's curriculum by accessing said
       pages nor has anyone given it to them. He also posted it

       on FACEBOOK And has delivered it to people since 2014.

    2) The complainant is a public figure who held several positions as a spokesperson
       of ***PARTIDO POLITICO.1 in ***LOCALIDAD.1 and continues to belong to
       same. People already know your activity and a person's personal data

       party public.

    3) He had a trial with the complainant and he contributed to said process a copy of his
       curriculum as evidence and since it was a public trial, the curriculum “circulated
       publicly”



28001 – Madrid 6 sedeagpd.gob.es 3/10




    4) The FACEBOOK groups “***GROUP.1” and “***GROUP.1” are channels not
       officials of participants of the political party to which “we both belong”.


    5) Freedom of expression in forums, as a constitutional right.



    6) He is not responsible for any of the FACEBOOK channels, just a
       Username. Those responsible for the data of the participants are the
       Administrators of said pages. He is not responsible for the files of the
       Cluster. For them to be cancelled, the complainant must contact them.



                                   PROVEN FACTS

    1) B.B.B. denounces A.A.A. for having exposed in a FACEBOOK group
       public and open called "***GROUP.1" his professional resume. contributed
       screen print of said page in which references A.A.A.

       there are comments from the complainant and "There is the curriculum", providing a copy
       of the same inserted in the page, being able to see the photo of the complainant and the
       date 05/16. The curriculum contains studies, courses and job development
       since 2003, address, email and phone number. Service
       Inspection verified by accessing FACEBOOK that in a forum in which

       several people participated, the denouncer's statement is commented on in a
       trial and appears the accused A.A.A. inserting the complainant's resume.
       It also appears that the defendant exposes on said page part of a
       sentence in which it can be read that the complainant denounced the accused
       for threats and the part of the ruling in which you can read that he is acquitted

       of the crime of threats. In news printing of the ***WEB.1, the
       ***DATE.1 the news in which there is an interview with the defendant who
       holds the position of *** POLITICAL PARTY.2.

    2) The complainant extends his complaint on 09/04/2017, verifying that on the date
       09/02/2017 the curriculum appears again exposed by the same person in

       FACEBOOK, group “***GRUPO.1” providing a printed copy of it. Of
       again the complainant in writing of 09/14/2017 states that he has returned to
       post. Provides a copy of screen prints of “***GROUP.1”
       printed on 09/08/2017 in which, following A.A.A. appear again until
       five insertions of the curriculum, and in the group ***GROUP.1 on 09/7 and 9/2017,

       up to 6 times.

    3) Before starting this procedure, on 09/02/2017, the Administrator of the
       group ***GROUP.1 warned the defendant to withdraw said document that

       contains personal data exposed without authorization of the affected party, stating
       the refusal of the latter, who exposed them several times after said
       date.

    4) There is no evidence that the complainant participated in any of the conversations
       the indicated FACEBOOK forums.




28001 – Madrid 6 sedeagpd.gob.es 4/10





                               FOUNDATIONS OF LAW

                                            Yo


       The Director of the Agency is competent to resolve this procedure.
Spanish Data Protection, in accordance with the provisions of article 37. g)
in relation to article 36 of the LOPD.



                                           II


       Article 3.j) of the LOPD specifies “sources accessible to the public:”
those files whose query can be made by any person, not
prevented by a limiting norm or without more requirements than, where appropriate, the payment of
a consideration. They are considered public access sources,

exclusively, the promotional census, the telephone directories in the terms
provided for by its specific regulations and the lists of people belonging to groups
of professionals that contain only the data of name, title, profession,
activity, academic degree, address and indication of their membership in the group.
Likewise, newspapers and bulletins have the character of public access sources.
officials and the media.

       The data that may appear on a website, according to this definition,

sources accessible to the public are not considered.

       On the other hand, if it is true that the complainant physically distributed his
curriculum to other people, this does not authorize the accused to expose it in forums of
FACEBOOK or expose it repeatedly, because the medium used and its
results, also stating that you do not have the consent of the referred for said
exposition.


       The right to data protection, according to one of the judgments of the

Constitutional Court that configures it, STC 292/2000, states that "... the content
of the fundamental right to data protection consists of a power of disposal and
control over personal data that empowers the person to decide which of their
data provides a third party (...) these powers of disposal and control over the
personal data, which constitute part of the fundamental right to the protection of

data is legally specified in the power to consent to the collection, obtaining and
access to personal data, their subsequent storage and treatment, as well as
its use or possible uses, by a third party, be it the State or an individual".

       Neither the fact that the complainant provided a copy of said curriculum in

a public trial converts said document into a source of public access. It's not what
Even if the trial is public, the data provided by the parties at said venue will be
then use to be exposed on FACEBOOK. That the procedure is public
means that the data handled during it can be used without
consent of the affected.





28001 – Madrid 6 sedeagpd.gob.es 5/10



       As for freedom of expression, the fact of annexing a multitude of
Sometimes a resume goes beyond that freedom, using personal data without the
consent of the affected party that are exposed on FACEBOOK. The defendant leaves
with other users and without any relationship, insert, upload or hang the resume. Must be
differentiate between freedom of expression and the violation of the fundamental right to

data protection that occurs when uploading the curriculum that is not related to
the chats that the accused maintains in an informal tone with other users. For him
The aforementioned right is not necessary nor does it appear related to attaching said document,
also taking into account that the complainant does not participate in any way in said
groups.


       Article 6.1 LOPD provides that "The processing of personal data
personnel will require the unequivocal consent of the affected party, unless the Law
provide something else."

       This principle entails the need for the unequivocal consent of the

affected so that your personal data can be processed, the consent
This allows the affected party to exercise control over their personal data (the
informative self-determination), since it is the interested party who has to grant
your consent so that the aforementioned data can be processed.

       This is a fundamental guarantee that is only found as exceptions to

that consent of the affected party, those established in a law, collected in the
section 2 of the aforementioned article 6 LOPD a series of exceptions to the provision of
said consent.

       The respondent is responsible for the treatment carried out with the
résumé of the complainant that in pdf format or in photography has been uploaded in several

occasions to FACEBOOK. Nothing is indicated as a file or has anything to do with the
Administrator or creator of a group. The truth is that the defendant inserts
again, even if the Administrator deletes the whistleblower's resume file.

       Various sentences of which are cited as an example, one of the civil, of the
Provincial Court of Asturias (Section 7) no. 20/2017 of 01/19, resource of

Appeal 526/2016 determines those responsible for the facts, in this case presenting a
sentence with data from another on FACEBOOK as illegitimate interference with honor,
indicating "The Judgment issued in the preceding instance, substantially estimates the
lawsuit filed by F.F.F. in front of D.ª G.G.G., declaring that the publications
made by the latter on July 29 and 30, 2015 on its Facebook account
entail an intrusion into the right to honor of the plaintiffs and condemns the

demands to cease henceforth in any interference in his right to honor,
publish the verdict on your Facebook account and provide the operative part of
the same or access to the Facebook account of the demand to the two people who
are indicated and the solidarity payment to the actors of the amount of 2,100 euros in concept
non-pecuniary damage as well as payment of costs.”


  Regarding the allegation of the accused that the complainant should have exercised

the right of cancellation before the Administrator, and the accused would know this
claim of the complainant since the conversation of the
denounced with the Administrator of a Group with the result of the refusal to withdraw


28001 – Madrid 6 sedeagpd.gob.es 6/10




the curriculum, also stating that he presented it again. On the other hand, the
Group administrator does not have the pdf file that has been posted over and over again or
uploaded to that page. Said action has been carried out by the accused. The
Admin can delete comments or files, but if these are re-inserted
no effect arises. The Administrator is not responsible for what each user

manifests or hangs, which in this case is proven to have its origin in the
denounced. The Administrator may have created the Group, but the use of the
platform does not make you responsible for files. Moreover, in the present
of course, the accused is imputed as responsible for the treatment considered this
in article 3.c) of the LOPD as “operations and technical procedures of
automated character or not, that allow the collection, recording, conservation,

elaboration, modification, blocking and cancellation, as well as the transfers of data that
resulting from communications, consultations, interconnections and transfers.”

       The Court of Justice of the European Union, in the judgment of 6/11/2003 (case
Lindqvist. Case C-101/01) addressed the issue we are dealing with, pointing out

Next:

"The concept of "personal data" used in article 3, paragraph 1, of the
Directive 95/46 comprises, according to the definition contained in article 2, letter
a), of said Directive «all information about a natural person identified or
identifiable”. This concept includes, without a doubt, the name of a person next to his

telephone number or other information regarding your working conditions or your
hobbies

As regards the concept of "processing" of such data used in Article 3,
paragraph 1 of Directive 95/46, this includes, according to the definition of the
Article 2, letter b, of said Directive, "any operation or set of operations,

carried out or not through automated procedures, and applied to data
personal”. This last provision lists several examples of such operations,
including communication by transmission, broadcast or any other form
that facilitates access to data. It follows that conduct consisting of
referencing, on a web page, personal data should be considered a
treatment of this kind.


It remains to be determined whether such processing is 'partially or fully automated'. A
In this regard, it should be noted that disseminating information on a web page implies,
in accordance with the technical and computer procedures that are applied
currently, publish said page on a server, as well as perform the operations
necessary to make it accessible to people who are connected to the Internet.

These operations are carried out, at least in part, in an automated manner.

Therefore, it is appropriate to answer the first question that the conduct that consists in
make reference, on a web page, to various people and to identify them by their
name or by other means, such as your telephone number or information regarding your

working conditions and hobbies, constitutes a "total treatment or
partially automated personal data" within the meaning of Article 3, paragraph
1, of Directive 95/46. "





28001 – Madrid 6 sedeagpd.gob.es 7/10



       The sentence does not distinguish whether the web page is its own or that of another person, but in
In this case, it is accredited that the information containing the data has been exposed
on several occasions by the defendant, then has carried out as many treatments as

occasions this curriculum has been uploaded.
       Regarding the allegation that the complainant is a person with relevant

public, it is accredited that he does not hold any public office understood as elected by
citizenship, even if they have carried out actions related to a
police training. Although he is a person of public relevance, he does not exist
authorization for the exhibition of the curriculum without your consent in repeated
occasions on FACEBOOK.

       Therefore, the commission of the infraction of article 6.1 by the accused is accredited.


       The infraction committed by the accused appears typified as serious in the
article 44.3.b) of the LOPD, which considers as such, "Treat personal data
personnel without obtaining the consent of the affected persons, when the same
necessary in accordance with the provisions of this Law and its development provisions.

                                           III


       Don A.A.A. by exposing, without the consent of the complainant on FACEBOOK the
complainant's CV without limitations, has incurred in the violation of article 10
of the LOPD that indicates:

       “The person responsible for the file and those who intervene in any phase of the
processing of personal data are bound by professional secrecy

regarding them and the duty to safeguard them, obligations that will subsist even
after ending their relations with the owner of the file or, where appropriate, with the
responsible for it."

       Said infraction is typified in article 44.3.d) of the LOPD that

qualifies as serious "The violation of the duty to keep secret about the
processing of personal data referred to in article 10 of the
this Law”.

       It is not proven in this case that the position of the defendant

be responsible for the file that should store the complainant's data. Either
that held any legal position related to it to be required the
data secrecy duty

       Thus, this infraction imputed to the accused is archived.


                                               IV


       Section 6 of article 45 of the LOPD establishes the following:


       “Exceptionally, the sanctioning body may, after hearing the
interested parties and having regard to the nature of the facts and the significant concurrence of
the criteria established in the previous section, not agreeing to open the



28001 – Madrid 6 sedeagpd.gob.es 8/10




sanctioning procedure, and instead, warn the responsible subject so that,
within the term that the sanctioning body determines, proves the adoption of the measures
corrections that in each case are pertinent, provided that the
following budgets:


       a) That the facts constituted a minor or serious infraction in accordance with
           the provisions of this Law.
       b) That the offender had not been previously sanctioned or warned.

       If the warning is not addressed within the period that the sanctioning body
determined, the opening of the corresponding procedure will proceed

sanction for said non-compliance.

       In this regard, it is appropriate to consider the provisions of article 45.4 and 5 of the
LOPD, which establishes the following:


"4. The amount of the sanctions will be graduated according to the following criteria:

       a) The continuing nature of the offence.
       b) The volume of treatments carried out.
       c) The link between the activity of the offender and the performance of treatments
           of personal data.

       d) The volume of business or activity of the offender.
       e) The benefits obtained as a result of the commission of the
           infringement.
       f) The degree of intentionality.
       g) Recidivism due to commission of infractions of the same nature.
       h) The nature of the damages caused to the interested persons or to

third persons.
       i) Proof that prior to the events constituting the
infringement, the accused entity had adequate procedures in place for
action in the collection and treatment of IOS personal data, being the
infraction as a result of an anomaly in the operation of said
procedures not due to a lack of diligence required of the offender.

       j) Any other circumstance that is relevant to determine the degree of
illegality and culpability present in the specific infringing action.

       5. The sanctioning body will establish the amount of the sanction applying the
scale relative to the class of offenses immediately preceding in severity
that in which the one considered in the case in question is integrated, in the following

assumptions:

       a) When there is a qualified decrease in the guilt of the
           accused or of the unlawfulness of the act as a consequence of the
           significant concurrence of several of the criteria set forth in the

           section 4 of this article.
       b) When the infringing entity has regularized the irregular situation of
           diligent way.
       c) When it can be seen that the behavior of the affected party has been able to induce
           the commission of the offence.



28001 – Madrid 6 sedeagpd.gob.es 9/10



       d) When the offender has spontaneously admitted his guilt.
       e) When a merger process by absorption has taken place and the
           infraction was prior to said process, not being attributable to the entity

           absorbent".

       In this case, the requirements set forth in sections
a) and b) of the aforementioned article 45.6 of the LOPD. Along with this, there is a qualified
decrease in the guilt of the defendant due to the concurrence of several criteria of
those set forth in article 45.4 of the LOPD (article 45.5.a LOPD), specifically:


               The volume of treatments carried out.
               Absence of recidivism, not having been sanctioned previously
               for the commission of infractions of the same nature.
               There are no records of damage caused to the interested party or to third parties

               persons, except those arising from the offense committed.
               The lack of connection between the offender's activity and the performance of
               processing of personal data.


          According to what was stated,


          By the Director of the Spanish Data Protection Agency,

          HE REMEMBERS:



1.- NOTICE (A/00291/2017) to D. A.A.A. in accordance with the provisions of article
45.6 of the LOPD, in relation to the complaint for violation of article 6.1 of the LOPD,
typified as serious in article 44.3.d) of the aforementioned Organic Law.



2.- REQUIRE D.A.A.A. in accordance with the provisions of section 6 of article
45 of the LOPD so that within a month from this act of notification:

    2.1.- COMPLY with the provisions of article 6.1 of the LOPD. Specifically, it is urged
    denounced to remove from any FACEBOOK group the file containing the

    complainant's resume. You must provide and inform this AEPD within the term of
    ten days, with a printed copy of the page, date and web address that existed and
    contained the exposed resume, and printed copy of the same page without the
    curriculum, and the same URL address, being also admissible any other
    means of accreditation of such extremes.


You are warned that if you do not meet the aforementioned requirement, you could incur in
infraction typified in article 44 of the LOPD and punishable in accordance with the
provided in article 45 of the aforementioned Organic Law.


3.- NOTIFY this Agreement to A.A.A.

In accordance with the provisions of section 2 of article 37 of the LOPD, in the
wording given by article 82 of Law 62/2003, of 12/30, on fiscal measures,



28001 – Madrid 6 sedeagpd.gob.es 10/10




administrative and social order, this Resolution will be made public, once
interested parties have been notified. The publication will be made in accordance with

provided for in Instruction 1/2004, of 12/22, of the Spanish Agency for the Protection of
Data on the publication of its Resolutions and in accordance with the provisions of the
article 116 of the regulations for the development of the LOPD approved by Royal Decree
1720/2007, of 12/21.


   Against this resolution, which puts an end to the administrative procedure (article 48.2 of the
LOPD), and in accordance with the provisions of articles 112 and 123 of the Law
39/2015, of 1/10, of the Common Administrative Procedure of the Administrations
Public, interested parties may optionally file an appeal for reconsideration

before the Director of the Spanish Agency for Data Protection within a period of
month from the day following the notification of this resolution, or,
directly contentious-administrative appeal before the Contentious Chamber-
of the National High Court, in accordance with the provisions of article 25 and

in section 5 of the fourth additional provision of Law 29/1998, of 13/07,
regulation of the Contentious-Administrative Jurisdiction, within a period of two months to
count from the day following the notification of this act, as provided in the
article 46.1 of the aforementioned legal text.



Sea Spain Marti
Director of the Spanish Data Protection Agency



































C/ Jorge Juan, 6 www.agpd.es
28001 – Madrid sedeagpd.gob.es