AEPD (Spain) - A/00291/2017
|AEPD - A/00291/2017
|Article 6(1)(a) GDPR
Article 7 GDPR
|National Case Number/Name:
|European Case Law Identifier:
|AEPD (in ES)
The Spanish DPA ordered the removal of a professional resume uploaded on a public Facebook group without the consent of the data subject.
English Summary[edit | edit source]
Facts[edit | edit source]
The data subject's curriculum vitae (CV) had been published on a public and open Facebook group without their consent. The CV included their home address, telephone number and e-mail address, among other personal information. The data subject stated that they were unaware of how the CV came into the hands of the person publishing it (the controller). Although it could have been obtained from websites, such as LinkedIn or Infojobs, their settings only allowed for recruiters to access it. Further, the data subject claimed that, based on a Google search, the controller was the administrator of several companies, therefore they could have used this position to access the CV. The data subject also indicated that the CV could also have been provided by a third party, with whom they had shared it a couple of years ago, when looking for a job.
The data subject submitted a complaint to the Spanish DPA indicating that the controller posted their resume in the same Facebook group several times and stating that they had contacted the Group Administrator and the controller who refused to remove the publication.
The controller presented several arguments in its defence. It claimed that the data subject's resume had been public at all times, considering its availability on portals, such as LinkedIn. Moreover, the controller submitted that the data subject was a public figure, therefore their professional activity was already available to the public. Allegedly, the CV also 'circulated publicly' since a trial involving the data subject. Finally, the controller argued that they were not actually responsible for removing the files, as it should be the task of the Facebook group administrator.
Holding[edit | edit source]
First, the Spanish DPA recalled that data which may appear on a website, according to Article 3(j) of the LOPD, are not considered sources accessible to the public. The fact that the controller provided a copy of said resume in a public trial did not convert said document into a source of public access.
Second, even if it was true that the data subject physically distributed their resume to other people, it did not authorise the controller to disseminate it on Facebook forums or expose it repeatedly. The DPA confirmed that the controller did not collect consent within the meaning of Article 6(1)(a) GDPR for said dissemination.
Third, the DPA noted that freedom of expression must be differentiated from the violation of the fundamental right to data protection. Such a violation occured when uploading a CV not related to the activity of the controller in order to maintain informal contacts on a Facebook group.
Fourth, regarding the allegation that the data subject was a person of public relevance, it was proven that they did not hold any public office. Rather, they have performed actions related to political training. Hence, there was no authorisation for the exhibition of the CV on Facebook without the data subject's consent on repeated occasions.
Firth, the DPA stated that the controller was responsible for uploading the data subject's CV to Facebook on several occasions and as such, violated Article 10 of the LOPD relating to professional secrecy.
In conclusion, the Spanish DPA considered this violation as serious and ordered the controller to remove the file containing the data subject's CV from the Facebook group.
Comment[edit | edit source]
There are two important points that can be extracted from this decision:
1. The definition of public sources as per Article 3(j) of the Spanish Data Protection law
"Sources accessible to the public: those files whose consultation can be carried out by any person, not prevented by a limiting rule or without further requirement than, where appropriate, the payment of a consideration.
They are exclusively considered public access sources, the promotional census, the telephone directories in the terms provided by their specific regulations and the lists of people belonging to groups of professionals that contain only the data of name, title, profession, activity, academic degree, address and indication of their membership in the group. Likewise, official newspapers and bulletins and the media have the character of public access sources."
Thus, the AEDP stated that social media websites can't be considered a public source.
2. A person that publishes someone else's personal data on social media pages without their consent is considered responsible of the treatment and as such is subject to being fined under GDPR and Spanish Data Protection law.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/10 • Procedure No.: A/00291/2017 RESOLUTION: R/02928/2017 In procedure A/00291/2017, instructed by the Spanish Agency for Data Protection to A.A.A., given the complaint filed by B.B.B. and under the following, BACKGROUND FIRST: On 06/19/2017, this Agency received a document sent by Don B.B.B., in which he states the following: <<On May 16, an individual named A.A.A. made a broadcast of my resume in a Facebook group, PUBLIC and OPEN, named "***GROUP 1". In said curriculum, in addition to other information, my address, telephone number and e-mail are perfectly visible, without in any case having been obtained my consent for said publication. In addition, I do not know how it came into the hands of Mr. A.A.A. me resume, although you could have obtained it from portals such as Linkedin or Infojobs, if well my advertising settings on both portals prevent my spreadsheet curriculum is accessible, except for companies demanding personnel. A Google search allows verifying that Mr. A.A.A. listed as administrator from various companies, which could have been used to access my data personal information and, much more serious, spreading them without my consent. In the same way, the curriculum could have been provided by Mr. C.C.C., to whom I myself had provided it to him a couple of years ago, when I was looking for work, in order to present it to the administrator of your community of neighbors and with whom he maintained a friendly relationship today turned into manifest enmity. Mr. C.C.C. and Mr. A.A.A. they are friends with each other. Accompanying screenshot of the publication of the curriculum, which can be verified at the following link, after logging-in on FACEBOOK: https://***URL.1. In it, the defendant in conversation with other people refers to the complainant, who does not appear to participate in any way in the Group, since “(...)”, or “(...)” SECOND: Dated ***DATE.1, there is an Inspection Procedure in which the verifies that the reported information is still accessible on the internet. 28001 – Madrid 6 sedeagpd.gob.es 2/10 THIRD: On 09/04/2017, an extension to the complaint was received from the complainant. He states that A.A.A.. has re-disseminated his curriculum in the group of FACEBOOK “***GROUP.1”. This group is accessed by request and has over 7,000 members. He states that he contacted the Administrator of the Group and contacted the reported user, refusing to do so Aporta copy that ratifies it and in which the defendant refuses to withdraw it. In the resume inserts, the complainant alludes again in conversation, again to the creator of “photoshops” FOURTH: The complainant files a third extension of his complaint on 09/14/2017. It states that the defendant has made eight new broadcasts of his data, on the FACEBOOK channels: “***GRUPO.1” and “***GRUPO.1”. Contribute screen printing of 09/7 and 14/09/2017, in which it can be seen that on the printing of the curriculum on one side, ***GROUP.1 is indicated and on another screen the curriculum of the complainant with his photo. Is another screen print dated 09/08/2017, with the same curriculum on page ***GROUP.1. Also on the same page is exposed in other hours of the same day the same curriculum. It also indicates that he asked the Administrator remove said file, indicating that it had already removed some files, providing a screen print copy in this regard. The expressions that accompanies the defendant to the insertion of the curriculum in conversation with others, without record that the complainant does so with expressions such as “(...)”, reiterating the insertion with “(...)”, “the author”, or “for the moment that serves as a reminder” FIFTH: Consultation of the AEPD application that manages the consultation of history of sanctions and previous warnings, the accused is not there are previous records. SIXTH: On 09/29/2017, the Director of the Spanish Agency for the Protection of Data agreed to submit this proceeding to a prior hearing. warning A/00291/2017 for infringement of articles 6.1 and 10 of the LOPD, for part of AAA, typified as serious in articles 44.3.b) and 44.3.c) of the LOPD. SEVENTH: On 10/18/2017, the defendant filed allegations indicating: 1) The complainant's resume has been public at all times. Your data is published on public portals such as LINKEDIN or INFOJOBS, which It considers it as a “public access source” and it expresses it. It is not true that you have obtained the complainant's curriculum by accessing said pages nor has anyone given it to them. He also posted it on FACEBOOK And has delivered it to people since 2014. 2) The complainant is a public figure who held several positions as a spokesperson of ***PARTIDO POLITICO.1 in ***LOCALIDAD.1 and continues to belong to same. People already know your activity and a person's personal data party public. 3) He had a trial with the complainant and he contributed to said process a copy of his curriculum as evidence and since it was a public trial, the curriculum “circulated publicly” 28001 – Madrid 6 sedeagpd.gob.es 3/10 4) The FACEBOOK groups “***GROUP.1” and “***GROUP.1” are channels not officials of participants of the political party to which “we both belong”. 5) Freedom of expression in forums, as a constitutional right. 6) He is not responsible for any of the FACEBOOK channels, just a Username. Those responsible for the data of the participants are the Administrators of said pages. He is not responsible for the files of the Cluster. For them to be cancelled, the complainant must contact them. PROVEN FACTS 1) B.B.B. denounces A.A.A. for having exposed in a FACEBOOK group public and open called "***GROUP.1" his professional resume. contributed screen print of said page in which references A.A.A. there are comments from the complainant and "There is the curriculum", providing a copy of the same inserted in the page, being able to see the photo of the complainant and the date 05/16. The curriculum contains studies, courses and job development since 2003, address, email and phone number. Service Inspection verified by accessing FACEBOOK that in a forum in which several people participated, the denouncer's statement is commented on in a trial and appears the accused A.A.A. inserting the complainant's resume. It also appears that the defendant exposes on said page part of a sentence in which it can be read that the complainant denounced the accused for threats and the part of the ruling in which you can read that he is acquitted of the crime of threats. In news printing of the ***WEB.1, the ***DATE.1 the news in which there is an interview with the defendant who holds the position of *** POLITICAL PARTY.2. 2) The complainant extends his complaint on 09/04/2017, verifying that on the date 09/02/2017 the curriculum appears again exposed by the same person in FACEBOOK, group “***GRUPO.1” providing a printed copy of it. Of again the complainant in writing of 09/14/2017 states that he has returned to post. Provides a copy of screen prints of “***GROUP.1” printed on 09/08/2017 in which, following A.A.A. appear again until five insertions of the curriculum, and in the group ***GROUP.1 on 09/7 and 9/2017, up to 6 times. 3) Before starting this procedure, on 09/02/2017, the Administrator of the group ***GROUP.1 warned the defendant to withdraw said document that contains personal data exposed without authorization of the affected party, stating the refusal of the latter, who exposed them several times after said date. 4) There is no evidence that the complainant participated in any of the conversations the indicated FACEBOOK forums. 28001 – Madrid 6 sedeagpd.gob.es 4/10 FOUNDATIONS OF LAW Yo The Director of the Agency is competent to resolve this procedure. Spanish Data Protection, in accordance with the provisions of article 37. g) in relation to article 36 of the LOPD. II Article 3.j) of the LOPD specifies “sources accessible to the public:” those files whose query can be made by any person, not prevented by a limiting norm or without more requirements than, where appropriate, the payment of a consideration. They are considered public access sources, exclusively, the promotional census, the telephone directories in the terms provided for by its specific regulations and the lists of people belonging to groups of professionals that contain only the data of name, title, profession, activity, academic degree, address and indication of their membership in the group. Likewise, newspapers and bulletins have the character of public access sources. officials and the media. The data that may appear on a website, according to this definition, sources accessible to the public are not considered. On the other hand, if it is true that the complainant physically distributed his curriculum to other people, this does not authorize the accused to expose it in forums of FACEBOOK or expose it repeatedly, because the medium used and its results, also stating that you do not have the consent of the referred for said exposition. The right to data protection, according to one of the judgments of the Constitutional Court that configures it, STC 292/2000, states that "... the content of the fundamental right to data protection consists of a power of disposal and control over personal data that empowers the person to decide which of their data provides a third party (...) these powers of disposal and control over the personal data, which constitute part of the fundamental right to the protection of data is legally specified in the power to consent to the collection, obtaining and access to personal data, their subsequent storage and treatment, as well as its use or possible uses, by a third party, be it the State or an individual". Neither the fact that the complainant provided a copy of said curriculum in a public trial converts said document into a source of public access. It's not what Even if the trial is public, the data provided by the parties at said venue will be then use to be exposed on FACEBOOK. That the procedure is public means that the data handled during it can be used without consent of the affected. 28001 – Madrid 6 sedeagpd.gob.es 5/10 As for freedom of expression, the fact of annexing a multitude of Sometimes a resume goes beyond that freedom, using personal data without the consent of the affected party that are exposed on FACEBOOK. The defendant leaves with other users and without any relationship, insert, upload or hang the resume. Must be differentiate between freedom of expression and the violation of the fundamental right to data protection that occurs when uploading the curriculum that is not related to the chats that the accused maintains in an informal tone with other users. For him The aforementioned right is not necessary nor does it appear related to attaching said document, also taking into account that the complainant does not participate in any way in said groups. Article 6.1 LOPD provides that "The processing of personal data personnel will require the unequivocal consent of the affected party, unless the Law provide something else." This principle entails the need for the unequivocal consent of the affected so that your personal data can be processed, the consent This allows the affected party to exercise control over their personal data (the informative self-determination), since it is the interested party who has to grant your consent so that the aforementioned data can be processed. This is a fundamental guarantee that is only found as exceptions to that consent of the affected party, those established in a law, collected in the section 2 of the aforementioned article 6 LOPD a series of exceptions to the provision of said consent. The respondent is responsible for the treatment carried out with the résumé of the complainant that in pdf format or in photography has been uploaded in several occasions to FACEBOOK. Nothing is indicated as a file or has anything to do with the Administrator or creator of a group. The truth is that the defendant inserts again, even if the Administrator deletes the whistleblower's resume file. Various sentences of which are cited as an example, one of the civil, of the Provincial Court of Asturias (Section 7) no. 20/2017 of 01/19, resource of Appeal 526/2016 determines those responsible for the facts, in this case presenting a sentence with data from another on FACEBOOK as illegitimate interference with honor, indicating "The Judgment issued in the preceding instance, substantially estimates the lawsuit filed by F.F.F. in front of D.ª G.G.G., declaring that the publications made by the latter on July 29 and 30, 2015 on its Facebook account entail an intrusion into the right to honor of the plaintiffs and condemns the demands to cease henceforth in any interference in his right to honor, publish the verdict on your Facebook account and provide the operative part of the same or access to the Facebook account of the demand to the two people who are indicated and the solidarity payment to the actors of the amount of 2,100 euros in concept non-pecuniary damage as well as payment of costs.” Regarding the allegation of the accused that the complainant should have exercised the right of cancellation before the Administrator, and the accused would know this claim of the complainant since the conversation of the denounced with the Administrator of a Group with the result of the refusal to withdraw 28001 – Madrid 6 sedeagpd.gob.es 6/10 the curriculum, also stating that he presented it again. On the other hand, the Group administrator does not have the pdf file that has been posted over and over again or uploaded to that page. Said action has been carried out by the accused. The Admin can delete comments or files, but if these are re-inserted no effect arises. The Administrator is not responsible for what each user manifests or hangs, which in this case is proven to have its origin in the denounced. The Administrator may have created the Group, but the use of the platform does not make you responsible for files. Moreover, in the present of course, the accused is imputed as responsible for the treatment considered this in article 3.c) of the LOPD as “operations and technical procedures of automated character or not, that allow the collection, recording, conservation, elaboration, modification, blocking and cancellation, as well as the transfers of data that resulting from communications, consultations, interconnections and transfers.” The Court of Justice of the European Union, in the judgment of 6/11/2003 (case Lindqvist. Case C-101/01) addressed the issue we are dealing with, pointing out Next: "The concept of "personal data" used in article 3, paragraph 1, of the Directive 95/46 comprises, according to the definition contained in article 2, letter a), of said Directive «all information about a natural person identified or identifiable”. This concept includes, without a doubt, the name of a person next to his telephone number or other information regarding your working conditions or your hobbies As regards the concept of "processing" of such data used in Article 3, paragraph 1 of Directive 95/46, this includes, according to the definition of the Article 2, letter b, of said Directive, "any operation or set of operations, carried out or not through automated procedures, and applied to data personal”. This last provision lists several examples of such operations, including communication by transmission, broadcast or any other form that facilitates access to data. It follows that conduct consisting of referencing, on a web page, personal data should be considered a treatment of this kind. It remains to be determined whether such processing is 'partially or fully automated'. A In this regard, it should be noted that disseminating information on a web page implies, in accordance with the technical and computer procedures that are applied currently, publish said page on a server, as well as perform the operations necessary to make it accessible to people who are connected to the Internet. These operations are carried out, at least in part, in an automated manner. Therefore, it is appropriate to answer the first question that the conduct that consists in make reference, on a web page, to various people and to identify them by their name or by other means, such as your telephone number or information regarding your working conditions and hobbies, constitutes a "total treatment or partially automated personal data" within the meaning of Article 3, paragraph 1, of Directive 95/46. " 28001 – Madrid 6 sedeagpd.gob.es 7/10 The sentence does not distinguish whether the web page is its own or that of another person, but in In this case, it is accredited that the information containing the data has been exposed on several occasions by the defendant, then has carried out as many treatments as occasions this curriculum has been uploaded. Regarding the allegation that the complainant is a person with relevant public, it is accredited that he does not hold any public office understood as elected by citizenship, even if they have carried out actions related to a police training. Although he is a person of public relevance, he does not exist authorization for the exhibition of the curriculum without your consent in repeated occasions on FACEBOOK. Therefore, the commission of the infraction of article 6.1 by the accused is accredited. The infraction committed by the accused appears typified as serious in the article 44.3.b) of the LOPD, which considers as such, "Treat personal data personnel without obtaining the consent of the affected persons, when the same necessary in accordance with the provisions of this Law and its development provisions. III Don A.A.A. by exposing, without the consent of the complainant on FACEBOOK the complainant's CV without limitations, has incurred in the violation of article 10 of the LOPD that indicates: “The person responsible for the file and those who intervene in any phase of the processing of personal data are bound by professional secrecy regarding them and the duty to safeguard them, obligations that will subsist even after ending their relations with the owner of the file or, where appropriate, with the responsible for it." Said infraction is typified in article 44.3.d) of the LOPD that qualifies as serious "The violation of the duty to keep secret about the processing of personal data referred to in article 10 of the this Law”. It is not proven in this case that the position of the defendant be responsible for the file that should store the complainant's data. Either that held any legal position related to it to be required the data secrecy duty Thus, this infraction imputed to the accused is archived. IV Section 6 of article 45 of the LOPD establishes the following: “Exceptionally, the sanctioning body may, after hearing the interested parties and having regard to the nature of the facts and the significant concurrence of the criteria established in the previous section, not agreeing to open the 28001 – Madrid 6 sedeagpd.gob.es 8/10 sanctioning procedure, and instead, warn the responsible subject so that, within the term that the sanctioning body determines, proves the adoption of the measures corrections that in each case are pertinent, provided that the following budgets: a) That the facts constituted a minor or serious infraction in accordance with the provisions of this Law. b) That the offender had not been previously sanctioned or warned. If the warning is not addressed within the period that the sanctioning body determined, the opening of the corresponding procedure will proceed sanction for said non-compliance. In this regard, it is appropriate to consider the provisions of article 45.4 and 5 of the LOPD, which establishes the following: "4. The amount of the sanctions will be graduated according to the following criteria: a) The continuing nature of the offence. b) The volume of treatments carried out. c) The link between the activity of the offender and the performance of treatments of personal data. d) The volume of business or activity of the offender. e) The benefits obtained as a result of the commission of the infringement. f) The degree of intentionality. g) Recidivism due to commission of infractions of the same nature. h) The nature of the damages caused to the interested persons or to third persons. i) Proof that prior to the events constituting the infringement, the accused entity had adequate procedures in place for action in the collection and treatment of IOS personal data, being the infraction as a result of an anomaly in the operation of said procedures not due to a lack of diligence required of the offender. j) Any other circumstance that is relevant to determine the degree of illegality and culpability present in the specific infringing action. 5. The sanctioning body will establish the amount of the sanction applying the scale relative to the class of offenses immediately preceding in severity that in which the one considered in the case in question is integrated, in the following assumptions: a) When there is a qualified decrease in the guilt of the accused or of the unlawfulness of the act as a consequence of the significant concurrence of several of the criteria set forth in the section 4 of this article. b) When the infringing entity has regularized the irregular situation of diligent way. c) When it can be seen that the behavior of the affected party has been able to induce the commission of the offence. 28001 – Madrid 6 sedeagpd.gob.es 9/10 d) When the offender has spontaneously admitted his guilt. e) When a merger process by absorption has taken place and the infraction was prior to said process, not being attributable to the entity absorbent". In this case, the requirements set forth in sections a) and b) of the aforementioned article 45.6 of the LOPD. Along with this, there is a qualified decrease in the guilt of the defendant due to the concurrence of several criteria of those set forth in article 45.4 of the LOPD (article 45.5.a LOPD), specifically: The volume of treatments carried out. Absence of recidivism, not having been sanctioned previously for the commission of infractions of the same nature. There are no records of damage caused to the interested party or to third parties persons, except those arising from the offense committed. The lack of connection between the offender's activity and the performance of processing of personal data. According to what was stated, By the Director of the Spanish Data Protection Agency, HE REMEMBERS: 1.- NOTICE (A/00291/2017) to D. A.A.A. in accordance with the provisions of article 45.6 of the LOPD, in relation to the complaint for violation of article 6.1 of the LOPD, typified as serious in article 44.3.d) of the aforementioned Organic Law. 2.- REQUIRE D.A.A.A. in accordance with the provisions of section 6 of article 45 of the LOPD so that within a month from this act of notification: 2.1.- COMPLY with the provisions of article 6.1 of the LOPD. Specifically, it is urged denounced to remove from any FACEBOOK group the file containing the complainant's resume. You must provide and inform this AEPD within the term of ten days, with a printed copy of the page, date and web address that existed and contained the exposed resume, and printed copy of the same page without the curriculum, and the same URL address, being also admissible any other means of accreditation of such extremes. You are warned that if you do not meet the aforementioned requirement, you could incur in infraction typified in article 44 of the LOPD and punishable in accordance with the provided in article 45 of the aforementioned Organic Law. 3.- NOTIFY this Agreement to A.A.A. In accordance with the provisions of section 2 of article 37 of the LOPD, in the wording given by article 82 of Law 62/2003, of 12/30, on fiscal measures, 28001 – Madrid 6 sedeagpd.gob.es 10/10 administrative and social order, this Resolution will be made public, once interested parties have been notified. The publication will be made in accordance with provided for in Instruction 1/2004, of 12/22, of the Spanish Agency for the Protection of Data on the publication of its Resolutions and in accordance with the provisions of the article 116 of the regulations for the development of the LOPD approved by Royal Decree 1720/2007, of 12/21. Against this resolution, which puts an end to the administrative procedure (article 48.2 of the LOPD), and in accordance with the provisions of articles 112 and 123 of the Law 39/2015, of 1/10, of the Common Administrative Procedure of the Administrations Public, interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a period of month from the day following the notification of this resolution, or, directly contentious-administrative appeal before the Contentious Chamber- of the National High Court, in accordance with the provisions of article 25 and in section 5 of the fourth additional provision of Law 29/1998, of 13/07, regulation of the Contentious-Administrative Jurisdiction, within a period of two months to count from the day following the notification of this act, as provided in the article 46.1 of the aforementioned legal text. Sea Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.agpd.es 28001 – Madrid sedeagpd.gob.es