AEPD (Spain) - E/05270/2018 – E/08416/2018
|AEPD (Spain) - E/05270/2018 – E/08416/2018|
|Relevant Law:||Article 6 GDPR|
Article 17 GDPR
Article 56 GDPR
|National Case Number/Name:||E/05270/2018 – E/08416/2018|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
The Spanish DPA forwarded a complaint by a data subject regarding a public Facebook page that was created without their consent and disclosed their personal data (name, surname, address) to the Irish DPA. When they tried to delete it, the company requested that they prove their identity by providing even more personal data.
English Summary[edit | edit source]
Facts[edit | edit source]
A data subject complained because Facebook unilaterally generated a public page disclosing their name, surname and address without their consent. They had contacted the "person in charge of the social network" to request the deletion of the web page, but it were asked for an "accreditation of [their] identity."
Holding[edit | edit source]
The Spanish DPA forwarded the complaint to the Irish DPA as the main establishment of Facebook in Europe is in Ireland. The Irish DPC forwarded the complaint to Facebook and mediated to find an amicable solution by which Facebook accepted to delete the account opened on behalf of the complainant. The decision was communicated to the Spanish DPA that forwarded it to the complainant.
Comment[edit | edit source]
The decision from the Spanish DPA does not explain whether (i) there was any investigation by the Irish DPA on why the page had been generated in the first place, and (ii) how Facebook had access to the data of the complainant.
The decision is also not clear about whether Facebook itself generated the page, or was opened by an individual.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
Page 1 1/4 1103-271119 N / Ref .: E / 05270/2018 - E / 08416/2018 RESOLUTION OF ACTION FILE Of the actions carried out on the occasion of the claim presented in the Agency Spanish Data Protection and based on the following FACTS FIRST : On 07/04/2018 and registration number 183325/2018, it was entered in this Agency a claim filed against FACEBOOK for an alleged violation of arts. 6 and 17 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, regarding the protection of natural persons with regard to the processing of personal data and the free circulation of these data (hereinafter GDPR). The reasons on which the claimant bases the claim are: The social network FACEBOOK has generated a web page without your authorization public associated with your name and surname, incorporating in it information staff that he has not provided (eg address), and some data incorrect (your profession). The claimant has contacted the person in charge of the social network requesting the deletion of the web page, but it has been requested accreditation of your identity. The only information or documentation that accompanies the claimant is the indication of the URL of the aforementioned web page (*** URL.1) SECOND : FACEBOOK has its main establishment in Ireland ( FACEBOOK IRELAND LTD. ) THIRD: The aforementioned claim was transferred to the Data Protection Commission (DPC) –The supervisory authority of Ireland–, as it is competent to act as an authority of main control, in accordance with the provisions of article 56.1 of the RGPD. FOURTH: Following its internal procedures, the Irish supervisory authority DPC has sought to obtain an amicable resolution of the case. For this, he has contacted with the person responsible for this claim, and he has resolved to eliminate the website whose deletion requested the claimant. Subsequently, the DPC has provided this Agency with a letter to forward to the claimant, in which they transfer the response of the person in charge, they inform you of the amicable resolution achieved and they ask to know your opinion about it. FIFTH: This Agency notified the claimant of the communication provided by the DPC dated 01/23/2019, and no response has been received. Additionally, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 2 2/4 Inspection services of this Agency have verified that the web page object of the claim has been suppressed. FOUNDATIONS OF LAW I. Competence In accordance with the provisions of article 60.8 of the RGPD, it is competent to adopt this resolution by the Director of the Spanish Data Protection Agency, in accordance with article 12.2, section i) of Royal Decree 428/1993, of 26 March, which approves the Statute of the Data Protection Agency (in ahead, RD 428/1993) and the first transitory provision of Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of rights digital (hereinafter, LOPDGDD). II. Main establishment, cross-border treatment and supervisory authority principal Article 4.16 of the GDPR defines "main establishment": “A) with regard to a data controller with establishments in more of a Member State, the place of its central administration in the Union, unless the decisions about the purposes and means of the treatment are made in another establishment of the controller in the Union and the latter establishment has the power to enforce such decisions, in which case the establishment that has made such decisions shall be considered the main establishment; b) in what refers to a person in charge of the treatment with establishments in more than a Member State, the place of its central administration in the Union or, if it lacks this, the establishment of the person in charge in the Union in which the main processing activities in the context of the activities of an establishment of the processor to the extent that the processor is subject to specific obligations in accordance with this Regulation " For its part, article 4.23 of the RGPD considers "cross-border treatment": "A) the processing of personal data carried out in the context of the activities of establishments in more than one Member State of a manager or a manager of the treatment in the Union, if the controller or processor is established in more of a Member State, or b) the processing of personal data carried out in the context of the activities of a single establishment of a controller or processor in the Union, but which substantially affects or is likely to substantially affect interested in more than one Member State " The RGPD provides, in its article 56.1, for cases of cross-border processing, provided for in its article 4.23), in relation to the competence of the main control, that, without prejudice to the provisions of article 55, the authority of control of the main establishment or the sole establishment of the person in charge or C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 3 3/4 The person in charge of the treatment will be competent to act as a control authority principal for the cross-border processing carried out by said controller or commissioned in accordance with the procedure established in article 60. In the case examined, as has been stated, FACEBOOK has its establishment principal for the processing of personal data of European residents in Ireland ( FACEBOOK IRELAND LTD. ) , So the Data Protection Commission (DPC) is the competent to act as the main supervisory authority. III. Cooperation and coherence procedure Article 60 of the RGPD provides in section 8 the following: 8 . Notwithstanding the provisions of section 7, when a claim, the supervisory authority to which it has been submitted will adopt the decision, will notify the claimant and inform the person responsible for the treatment. " IV. Issue claimed and legal reasoning In this case, it was presented on 07/04/2018 at the Spanish Agency for Data Protection a claim against FACEBOOK for an alleged violation of arts. 6 and 17 of the GDPR. The aforementioned claim was transferred to the Irish supervisory authority as the competent to act as the main supervisory authority, in accordance with the provisions of Article 56.1 of the RGPD. Following its internal procedures, the authority of Irish control has sought to obtain an amicable resolution of the case. For it, has contacted the person responsible for this claim, and he has resolved delete the web page whose deletion requested the claimant. Subsequently, the DPC has provided this Agency with a letter to forward to the claimant, in which transmit the response of the person in charge, inform you of the amicable resolution achieved and ask to know your opinion about it. They offer to answer a within 1 month from the date indicated in the letter. If they do not receive a In response, they consider the claim withdrawn, based on their national regulations. This Agency notified the claimant of the communication provided by the DPC dated 01/23/2019, and no response has been received. Additionally, the services of Inspection of this Agency have verified that the web page object of the claim has been suppressed. Consequently, this Agency considers that your claim has been addressed and the claim file proceeds. Therefore, in accordance with the above, by the Director of the Spanish Agency for Data Protection, HE REMEMBERS: FIRST: PROCEED TO THE FILE of the claim filed against FACEBOOK. SECOND: NOTIFY this Resolution to the CLAIMANT C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 4 4/4 THIRD: INFORM FACEBOOK IRELAND LTD. In accordance with the provisions of article 50 of the LOPDGDD, this resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure according to the provisions of art. 114.1.c) of Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations, and in accordance with the provisions of arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, interested parties may file, Optionally, appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month from the day after the notification of this resolution or directly administrative contentious appeal before the Contentious-Administrative Chamber of the National Court, in accordance with provided in article 25 and section 5 of the fourth additional provision of the Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within two months from the day following notification of this act, as provided in article 46.1 of the aforementioned Law. Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es