AEPD (Spain) - E/05270/2018 – E/08416/2018

From GDPRhub
AEPD (Spain) - E/05270/2018 – E/08416/2018
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6 GDPR
Article 17 GDPR
Article 56 GDPR
Type: Complaint
Outcome: Other Outcome
Decided:
Published:
Fine: None
Parties: Facebook
National Case Number/Name: E/05270/2018 – E/08416/2018
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA forwarded a complaint by a data subject regarding a public Facebook page that was created without their consent and disclosed their personal data (name, surname, address) to the Irish DPA. When they tried to delete it, the company requested that they prove their identity by providing even more personal data.

English Summary[edit | edit source]

Facts[edit | edit source]

A data subject complained because Facebook unilaterally generated a public page disclosing their name, surname and address without their consent. They had contacted the "person in charge of the social network" to request the deletion of the web page, but it were asked for an "accreditation of [their] identity."

Holding[edit | edit source]

The Spanish DPA forwarded the complaint to the Irish DPA as the main establishment of Facebook in Europe is in Ireland. The Irish DPC forwarded the complaint to Facebook and mediated to find an amicable solution by which Facebook accepted to delete the account opened on behalf of the complainant. The decision was communicated to the Spanish DPA that forwarded it to the complainant.

Comment[edit | edit source]

The decision from the Spanish DPA does not explain whether (i) there was any investigation by the Irish DPA on why the page had been generated in the first place, and (ii) how Facebook had access to the data of the complainant.

The decision is also not clear about whether Facebook itself generated the page, or was opened by an individual.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.


Page 1
1/4
1103-271119
 N / Ref .: E / 05270/2018 - E / 08416/2018
RESOLUTION OF ACTION FILE
Of the actions carried out on the occasion of the claim presented in the Agency
Spanish Data Protection and based on the following
FACTS
FIRST : On 07/04/2018 and registration number 183325/2018, it was entered in
this Agency a claim filed against FACEBOOK for an alleged
violation of arts. 6 and 17 of Regulation (EU) 2016/679 of the European Parliament
and of the Council of April 27, 2016, regarding the protection of natural persons
with regard to the processing of personal data and the free circulation of these
data (hereinafter GDPR).
The reasons on which the claimant bases the claim are:
 The social network FACEBOOK has generated a web page without your authorization
public associated with your name and surname, incorporating in it information
staff that he has not provided (eg address), and some data
incorrect (your profession).
 The claimant has contacted the person in charge of the social network
requesting the deletion of the web page, but it has been requested accreditation of
your identity.
The only information or documentation that accompanies the claimant is the indication
of the URL of the aforementioned web page (*** URL.1)
SECOND : FACEBOOK has its main establishment in Ireland ( FACEBOOK
IRELAND LTD. )
THIRD: The aforementioned claim was transferred to the Data Protection Commission (DPC)
–The supervisory authority of Ireland–, as it is competent to act as an authority
of main control, in accordance with the provisions of article 56.1 of the RGPD.
FOURTH: Following its internal procedures, the Irish supervisory authority
DPC has sought to obtain an amicable resolution of the case. For this, he has contacted
with the person responsible for this claim, and he has resolved to eliminate the
website whose deletion requested the claimant. Subsequently, the DPC has
provided this Agency with a letter to forward to the claimant, in which they transfer
the response of the person in charge, they inform you of the amicable resolution achieved and
they ask to know your opinion about it.
FIFTH: This Agency notified the claimant of the communication provided by the DPC
dated 01/23/2019, and no response has been received. Additionally,
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 2
2/4
Inspection services of this Agency have verified that the web page object of
the claim has been suppressed.
FOUNDATIONS OF LAW
I.
Competence
In accordance with the provisions of article 60.8 of the RGPD, it is competent to
adopt this resolution by the Director of the Spanish Data Protection Agency,
in accordance with article 12.2, section i) of Royal Decree 428/1993, of 26
March, which approves the Statute of the Data Protection Agency (in
ahead, RD 428/1993) and the first transitory provision of Organic Law 3/2018,
of December 5, Protection of Personal Data and guarantee of rights
digital (hereinafter, LOPDGDD).
II.
Main establishment, cross-border treatment and supervisory authority
principal
Article 4.16 of the GDPR defines "main establishment":
“A) with regard to a data controller with establishments in more
of a Member State, the place of its central administration in the Union, unless the
decisions about the purposes and means of the treatment are made in another
establishment of the controller in the Union and the latter establishment has the
power to enforce such decisions, in which case the establishment that has
made such decisions shall be considered the main establishment;
b) in what refers to a person in charge of the treatment with establishments in more than
a Member State, the place of its central administration in the Union or, if it lacks
this, the establishment of the person in charge in the Union in which the main
processing activities in the context of the activities of an establishment of the
processor to the extent that the processor is subject to specific obligations
in accordance with this Regulation "
For its part, article 4.23 of the RGPD considers "cross-border treatment":
"A) the processing of personal data carried out in the context of the activities of
establishments in more than one Member State of a manager or a manager
of the treatment in the Union, if the controller or processor is established in more
of a Member State,
or b) the processing of personal data carried out in the context of the activities of
a single establishment of a controller or processor in the
Union, but which substantially affects or is likely to substantially affect
interested in more than one Member State "
The RGPD provides, in its article 56.1, for cases of cross-border processing,
provided for in its article 4.23), in relation to the competence of the
main control, that, without prejudice to the provisions of article 55, the authority of
control of the main establishment or the sole establishment of the person in charge or
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 3
3/4
The person in charge of the treatment will be competent to act as a control authority
principal for the cross-border processing carried out by said controller or
commissioned in accordance with the procedure established in article 60.
In the case examined, as has been stated, FACEBOOK has its establishment
principal for the processing of personal data of European residents in Ireland
( FACEBOOK IRELAND LTD. ) , So the Data Protection Commission (DPC) is the
competent to act as the main supervisory authority.
III.
Cooperation and coherence procedure
Article 60 of the RGPD provides in section 8 the following:
8 . Notwithstanding the provisions of section 7, when a
claim, the supervisory authority to which it has been submitted will adopt the
decision, will notify the claimant and inform the person responsible for the treatment. "
IV.
Issue claimed and legal reasoning
In this case, it was presented on 07/04/2018 at the Spanish Agency for
Data Protection a claim against FACEBOOK for an alleged
violation of arts. 6 and 17 of the GDPR.
The aforementioned claim was transferred to the Irish supervisory authority as the
competent to act as the main supervisory authority, in accordance with the provisions of
Article 56.1 of the RGPD. Following its internal procedures, the authority of
Irish control has sought to obtain an amicable resolution of the case. For it,
has contacted the person responsible for this claim, and he has resolved
delete the web page whose deletion requested the claimant. Subsequently, the
DPC has provided this Agency with a letter to forward to the claimant, in which
transmit the response of the person in charge, inform you of the amicable resolution
achieved and ask to know your opinion about it. They offer to answer a
within 1 month from the date indicated in the letter. If they do not receive a
In response, they consider the claim withdrawn, based on their national regulations.
This Agency notified the claimant of the communication provided by the DPC dated
01/23/2019, and no response has been received. Additionally, the services of
Inspection of this Agency have verified that the web page object of the
claim has been suppressed.
Consequently, this Agency considers that your claim has been addressed and
the claim file proceeds. Therefore, in accordance with the above, by the
Director of the Spanish Agency for Data Protection,
HE REMEMBERS:
FIRST: PROCEED TO THE FILE of the claim filed against
FACEBOOK.
SECOND: NOTIFY this Resolution to the CLAIMANT
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 4
4/4
THIRD: INFORM FACEBOOK IRELAND LTD.
In accordance with the provisions of article 50 of the LOPDGDD, this
resolution will be made public once it has been notified to the interested parties. Against this
resolution, which puts an end to the administrative procedure according to the provisions of art.
114.1.c) of Law 39/2015, of October 1, on the Common Administrative Procedure
of the Public Administrations, and in accordance with the provisions of arts. 112
and 123 of the aforementioned Law 39/2015, of October 1, interested parties may file,
Optionally, appeal for reconsideration before the Director of the Spanish Agency for
Data Protection within a month from the day after the
notification of this resolution or directly administrative contentious appeal before
the Contentious-Administrative Chamber of the National Court, in accordance with
provided in article 25 and section 5 of the fourth additional provision of the
Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction,
within two months from the day following notification of this act,
as provided in article 46.1 of the aforementioned Law.
Mar Spain Martí
Director of the Spanish Agency for Data Protection
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es