AEPD (Spain) - EXP202100639

From GDPRhub
AEPD (Spain) - PS/00484/2021 - EXP202100639
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(c) GDPR
Article 13 GDPR
Type: Investigation
Outcome: Violation Found
Started: 15.07.2021
Published: 08.04.2022
Fine: 1500 EUR
Parties: n/a
National Case Number/Name: PS/00484/2021 - EXP202100639
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Cesar Manso-Sayao

The Spanish DPA issued a €1500 fine against an individual for installing security cameras pointed towards the public street and nearby private properties without an adequate information sign, in violation of Articles 5(1)(c) and 13 GDPR.

English Summary


The Spanish police notified the Spanish DPA (AEPD) that a private individual had placed security cameras facing public and private spaces in the surroundings of their property. The police report stated that they had warned the individual that the cameras should not be pointed in the direction of areas beyond their property, and that there was no sign posted with adequate information related to the functioning of these video cameras.

Despite the police’s warnings, the individual refused to redirect the cameras, or to place the appropriate sign with information required under GDPR. The AEPD therefore initiated proceedings in order to investigate the issue, and bring the individual into compliance with their obligations related to the use of security cameras under GDPR. The individual did not submit any allegations or proof to contradict the police report, and also ignored the AEPD’s request for information related to their compliance with GDPR on this matter.


The AEPD held that according to Article 22 of the Spanish Data Protection Act (Ley Orgánica de Protección de Datos Personales y Garantía de los Derechos Digitales – LOPDGDD), security cameras can be installed in order to preserve the safety of persons and property, as well as the security of premises, but that recording of public streets is only permitted to the extent that it is essential for these purposes. Additionally, the AEPD held that any recording of private premises cannot take place without consent.

Morever, the AEPD held that when installing video cameras, the information requirements under Articles 12 and 13 GDPR must be fulfilled by placing a sign in a sufficiently visible place which announces that the video processing of personal data is taking place, the identity of the data controller, and the possibility for data subjects to exercise the rights provided for in Articles 15 to 22 GDPR.

Since the individual did not submit any defense in order to justify why the cameras were pointed towards the street and adjacent private areas, the AEPD issued a fine of €1500 against the individual (€1000 for a violation of the data minimisation principle under Article 5(1)(c) GDPR, and €500 for a violation of the information requirements under Article 13 GDPR). Additionally, the AEPD ordered the individual to either take down the cameras, or to redirect them facing his property and place a sign containing the aforementioned information requirements.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.


     File No.: EXP202100639


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following


FIRST: The CIVIL GUARD - POST OF ***LOCALITY.1 (hereinafter, the
claimant party), dated 07/15/2021, sent the Notification Act of an alleged
infringement of data protection regulations to the Spanish Protection Agency

of data.

The following is indicated in the letter of remission of the Minutes, in relation to the matter of
Data Protection:

“While the patrol was with the agents with the number of types ***NUMBER.1 and

***NUMBER.2, carrying out citizen security tasks in the locality
of ***LOCATION.1, they observe the step located ***ADDRESS.1, of said locality,
as in the facade of the building there are two cameras that are oriented towards the road
traffic in both directions, focusing on road users and other
private addresses, which should be asked to the owner of the house, this being A.A.A.

(***NIF.1), the reason for which the cameras are placed, it states that it is because


The agents report that there is also no visible sign informing the use of the
video surveillance cameras.


That the agents inform him that it is not the first time that he has been told to remove

the cameras, ignoring them and stating that they are not going to be removed.


SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5

December, of Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), the claimant was notified on 07/20/2021, so that he could inform
to this Agency within a month, of the actions carried out to adapt
to the requirements set forth in the data protection regulations. The notification is
delivered on 08/02/20212, as stated in the Notice issued by Correos, but on the day

As of today, this Agency has not received any reply.

THIRD: On 09/29/2021, the Director of the Spanish Protection Agency
Data agreed to admit the claim filed by the claimant for processing.

C/ Jorge Juan, 6
28001 – Madrid, 2/11

FOURTH: On 12/09/2021, the Director of the Spanish Protection Agency
of Data agreed to initiate a sanctioning procedure against the claimed party, for the

alleged infringement of article 5.1.c) of the RGPD and article 13 of the RGPD, typified in
Article 83.5 a) and b) of the GDPR.

FIFTH: On 12/17/2021 the claimant is notified of the start agreement of this
sanctioning procedure and a hearing period of TEN DAYS is granted

SKILLFUL to formulate the allegations and present the evidence that it considers
convenient, in accordance with the provisions of articles 73 and 76 of the Law
39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations (hereinafter, LPACAP).

SIXTH: After the term granted for the formulation of allegations to the agreement

of the beginning of the procedure, it has been verified that no allegation has been received
by the claimed party.

Article 64.2.f) of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter LPACAP) -provision of which

the party claimed was informed in the agreement to open the proceeding-
establishes that if allegations are not made within the stipulated period on the content of the
initiation agreement, when it contains a precise statement about the
imputed responsibility, may be considered a resolution proposal.

In the present case, the agreement to initiate the disciplinary proceedings determined the
facts in which the imputation was specified, the infraction of the RGPD attributed to the
claimed and the sanction that could be imposed. Therefore, taking into account that
the party complained against has made no objections to the agreement to initiate the file and
In accordance with the provisions of article 64.2.f) of the LPACAP, the aforementioned agreement of
beginning is considered in the present case resolution proposal.

SEVENTH: The agreement to initiate the procedure agreed in the third point of the
operative part “INCORPORATE to the disciplinary file, for the purposes of evidence, the
claims submitted by claimants and the information and documentation
obtained by the Subdirectorate General for Data Inspection in the phase of

information prior to the agreement for admission to processing of the claim”.

In view of everything that has been done, by the Spanish Data Protection Agency
In this proceeding, the following are considered proven facts:


FIRST: Installation of two video surveillance cameras on the facade of the building of
your home located at ***ADDRESS.1, ***LOCATION.1, which could be
capturing images of public roads in both directions and private areas.

Nor does it have the proper information sign for the video-monitored area.

SECOND: The person in charge of the devices is A.A.A., with NIF ***NIF.1.

C/ Jorge Juan, 6
28001 – Madrid, 3/11

THIRD: The Spanish Data Protection Agency has notified the claimant of the
agreement to open this sanctioning procedure, but has not presented

allegations or evidence that contradicts the reported facts.

                           FOUNDATIONS OF LAW


In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47 and 48.1 of the Law
Organic 3/2018, of December 5, on the Protection of Personal Data and guarantee of

digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve
this procedure the Director of the Spanish Data Protection Agency.

Likewise, article 63.2 of the LOPDGDD determines that: “The procedures
processed by the Spanish Agency for Data Protection will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions

regulations issued in its development and, as long as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures.”


The physical image of a person under article 4.1 of the RGPD is personal data
and its protection, therefore, is the subject of said Regulation. Article 4.2 of the GDPR
defines the concept of “treatment” of personal data.

Article 22 of the LOPDGDD includes the specific rules for the treatment of
data for video surveillance purposes and states the following:

"one. Natural or legal persons, public or private, may carry out the treatment
ment of images through camera systems or video cameras with the purpose
to preserve the safety of people and property, as well as its facilities.

2. Images of public roads may only be captured to the extent that it is im-
dispensable for the purpose mentioned in the previous section.

However, it will be possible to capture public roads to a greater extent

when necessary to guarantee the security of assets or strategic installations.
services or infrastructures linked to transport, without in any case being able to
put the capturing of images of the interior of a private home.

3. The data will be deleted within a maximum period of one month from its collection, except

when they had to be kept to prove the commission of acts that attend to
have against the integrity of people, goods or facilities. In this case, the images
must be made available to the competent authority within a maximum period of

C/ Jorge Juan, 6
28001 – Madrid, 4/11

seventy-two hours since the existence of the recording became known.

The blocking obligation provided for in art.
article 32 of this organic law.

4. The duty of information provided for in article 12 of Regulation (EU) 2016/679 is
understood to be fulfilled by placing an informative device in a sufficient place
ciently visible identifying, at least, the existence of the treatment, the identity

of the person in charge and the possibility of exercising the rights provided for in articles 15
to 22 of Regulation (EU) 2016/679. It may also be included in the device information
I attach a connection code or internet address to this information.

In any case, the person in charge of the treatment must keep available to the

affected the information referred to in the aforementioned regulation.

5. Under article 2.2.c) of Regulation (EU) 2016/679, it is considered excluded
of its scope of application the treatment by a natural person of images that are
regretfully capture the interior of your own home.

This exclusion does not cover processing carried out by a private security entity.
given that she had been hired to guard a home and had access to the

6. The processing of personal data from the images and sounds obtained

nests through the use of cameras and video cameras by the Forces and Corps
Security and by the competent bodies for surveillance and control in the centers
prisons and for the control, regulation, surveillance and discipline of traffic, will be governed
by the legislation transposing Directive (EU) 2016/680, when the treatment
for purposes of prevention, investigation, detection or prosecution of violations

criminal offenses or the execution of criminal sanctions, including protection and prevention
against threats to public safety. Apart from these assumptions, said
treatment will be governed by its specific legislation and additionally by the Regulations
to (EU) 2016/679 and this organic law.

7. What is regulated in this article is understood without prejudice to the provisions of the Law

5/2014, of April 4, on Private Security and its development provisions.

8. The treatment by the employer of data obtained through camera systems
cameras or video cameras is subject to the provisions of article 89 of this organic law.


In accordance with the foregoing, the processing of images through a system
of video surveillance, to be in accordance with current regulations, must comply with the

following requirements:

    - Respect the principle of proportionality.

C/ Jorge Juan, 6
28001 – Madrid, 5/11

    - When the system is connected to an alarm center, you can only
       be installed by a private security company that meets the requirements
       contemplated in article 5 of Law 5/2014 on Private Security, of 4

    - The video cameras will not be able to capture images of the people who
       are outside the private space where the security system is installed.
       video surveillance, since the processing of images in public places only
       can be carried out, unless there is government authorization, by the
       Security Forces and Bodies. They cannot be captured or recorded
       spaces owned by third parties without the consent of their owners, or, in their

       case, of the people who are in them.

       This rule admits some exceptions since, on some occasions, for the
       protection of private spaces, where cameras have been installed in
       facades or inside, it may be necessary to guarantee the purpose of

       security recording a portion of the public highway. That is, the cameras
       and video cameras installed for security purposes will not be able to obtain images
       of public roads unless it is essential for that purpose, or it is
       impossible to avoid due to their location and extraordinarily
       The minimum space for said purpose will also be collected. Therefore, the
       cameras could exceptionally capture the minimally necessary portion

       for its intended security purpose.

    - The duty to inform those affected provided for in articles
       12 and 13 of the RGPD and 22.4 of the LOPDGDD.

    - The person in charge must keep a record of treatment activities

       carried out under their responsibility, including the information to which
       refers to article 30.1 of the RGPD.

    - The installed cameras cannot obtain images of private spaces.
       third party and/or public space without duly accredited justified cause, or
       may affect the privacy of passers-by who move freely through the

       zone. It is not allowed, therefore, the placement of cameras towards the
       private property of neighbors with the purpose of intimidating them or affecting their
       private sphere without just cause.

    - In no case will the use of surveillance practices be admitted beyond the
       environment object of the installations and in particular, not being able to affect the

       surrounding public spaces, adjoining buildings and vehicles other than those
       access the guarded space.

In relation to the foregoing, to facilitate the consultation of interested parties, the Agency
Spanish Data Protection offers through its website

[] access to data protection legislation
including the RGPD and the LOPDGDD (section “Reports and resolutions” /
“regulations”), to the Guide on the use of video cameras for security and other
purposes and the Guide for compliance with the duty to inform (both available
in the “Guides and tools” section).

C/ Jorge Juan, 6
28001 – Madrid, 6/11

It is also of interest in the event that low-level data processing is carried out.

risk, the free tool Facilita (in the “Guides and tools” section) that,
through specific questions, it allows to assess the situation of the person in charge
regarding the processing of personal data that it carries out and, where appropriate, generate
various documents, informative and contractual clauses, as well as an annex with
indicative security measures considered minimal.


In the present case, the respondent has not presented arguments or evidence that

contradict the facts denounced within the period given for it.

In accordance with the evidence available and which has not been
distorted during the sanctioning procedure, the defendant has installed two
video surveillance cameras on the facade of the building where your home is located, located

in ***ADDRESS.1, ***LOCATION.1, capturing images of both transit areas
public and private. In addition, it lacks an information sign for a video-monitored area.

Based on the foregoing, the facts entail a violation of the provisions of
articles 5.1 c) and 13 of the RGPD, which supposes a commission of both infractions

typified in article 83.5 of the RGPD, which provides the following:

“The infractions of the following dispositions will be sanctioned, in accordance with the
section 2, with administrative fines of a maximum of EUR 20,000,000 or,
in the case of a company, an amount equivalent to 4% of the turnover

global annual total of the previous financial year, choosing the highest amount:

a) The basic principles for the treatment, including the conditions for the
consent under articles 5, 6, 7 and 9;

b) The rights of the interested parties according to articles 12 to 22;


For the mere purposes of prescription, article 72.1 of the LOPDGDD qualifies as very


a) The processing of personal data violating the principles and guarantees
established in article 5 of Regulation (EU) 2016/679;

b) The processing of personal data without the concurrence of any of the conditions of
legality of the treatment established in article 6 of Regulation (EU) 2016/679;


C/ Jorge Juan, 6
28001 – Madrid, 7/11

h) The omission of the duty to inform the affected party about the processing of their data
personal in accordance with the provisions of articles 13 and 14 of the Regulation (EU)
2016/679 and 12 of this Organic Law;


The corrective powers available to the Spanish Agency for the Protection of

Data, as a control authority, is established in article 58.2 of the RGPD. Between
they find the power to direct a warning (art. 58.2 b)), the power
to impose an administrative fine in accordance with article 83 of the RGPD (art. 58.2 i)),
or the power to order the person in charge or in charge of the treatment that the
treatment operations comply with the provisions of the RGPD, where appropriate,

in a certain way and within a specified period (art. 58.2 d)).

According to the provisions of article 83.2 of the RGPD, the measure provided for in article 58.2
d) of the aforementioned Regulation is compatible with the sanction consisting of a fine

In this case, based on the facts set forth, it is considered that the sanction
that should be imposed is an administrative fine for each of the
offenses committed. The fine imposed must be, in each individual case,
effective, proportionate and dissuasive, in accordance with article 83.1 of the RGPD. finally
determining the administrative fine to be imposed, the provisions of the

article 83.2 of the RGPD, which indicates:

"two. Administrative fines will be imposed, depending on the circumstances of each
individual case, in addition to or as a substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine

administration and its amount in each individual case will be duly taken into account:

a) the nature, seriousness and duration of the offence, taking into account the
nature, scope or purpose of the processing operation in question, as well
such as the number of interested parties affected and the level of damages that
have suffered;

b) intentionality or negligence in the infringement;

c) any measure taken by the controller or processor to
alleviate the damages suffered by the interested parties;

d) the degree of responsibility of the person in charge or of the person in charge of the treatment,
taking into account the technical or organizational measures that they have applied under
of articles 25 and 32;

e) any previous infringement committed by the person in charge or the person in charge of the treatment;

f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;

C/ Jorge Juan, 6
28001 – Madrid, 8/11

g) the categories of personal data affected by the infringement;

h) the way in which the supervisory authority became aware of the infringement, in
particular whether the person in charge or the person in charge notified the infringement and, if so, in what

i) when the measures indicated in article 58, section 2, have been ordered
previously against the person in charge or the person in charge in question in relation to the
same matter, compliance with said measures;

j) adherence to codes of conduct under article 40 or mechanisms of

certification approved in accordance with article 42,

k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, directly or
indirectly, through the infringement.

For its part, in relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in
its article 76, "Sanctions and corrective measures", provides:

"one. The penalties provided for in sections 4, 5 and 6 of article 83 of the Regulation

(EU) 2016/679 will be applied taking into account the graduation criteria
established in section 2 of the aforementioned article.

2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
may also be taken into account:

a) The continuing nature of the offence.

b) The link between the activity of the offender and the performance of treatment of
personal information.

c) The profits obtained as a result of committing the offence.

d) The possibility that the conduct of the affected party could have included the commission
of the offence.

e) The existence of a merger by absorption process subsequent to the commission of the
infringement, which cannot be attributed to the absorbing entity

f) Affectation of the rights of minors

g) Have, when not mandatory, a data protection delegate.

h) Submission by the person in charge or person in charge, on a voluntary basis, to
alternative conflict resolution mechanisms, in those cases in which

there are controversies between them and any interested party”.

C/ Jorge Juan, 6
28001 – Madrid, 9/11

In accordance with the precepts transcribed, in order to set the amount of the sanction of
fine to be imposed in the present case for the infractions typified in article 83.5
a) and b) of the RGPD, it is appropriate to grade them according to the following aggravating factors:

    - The nature of the offence. The claimed by having a system of
        video surveillance that is oriented to public roads and private areas without cause
        justified, as well as the absence of an informative poster, produces damages and
        damages to all affected stakeholders who do not know who is the
        responsible for the treatment and to whom they must be addressed in order to exercise the

        rights recognized in the RGPD (art. 83.2 a) RGPD).

    - The intention or negligence in the infringement. With the system
        video surveillance carries out excessive control of the area without any justified cause,
        highlighting the poor orientation of the device (art. 83.2 b) RGPD).

    - The degree of cooperation with this Agency in order to remedy the
        infringement. After having made a transfer to the claimed party for the purpose of being able to
        answer and, where appropriate, take measures to avoid the infringement, the AEPD has not
        received any response. No response has been received either.
        Once the opening agreement has been notified (art. 83.2 f) RGPD).

    - The way in which the control authority became aware of the infraction. The
        The way in which this Agency has become aware has been through the
        remission of the notification Act of the CIVIL GUARD - POSITION OF
        *** LOCATION.1 (art. 83.2 h) RGPD).

    - The continuing nature of the offence. The respondent had already received with
        Prior to the claim notices by the claimant so that
        adopt the necessary measures in order to comply with the regulations of
        personal data protection. However, the respondent continues without putting

        the informative poster and capturing images which supposes a treatment of
        data of identifiable natural persons (art. 76.2 a) LOPDGDD).

The balance of the circumstances contemplated, with respect to the infractions
committed by violating the provisions of articles 5.1 c) and 13 of the RGPD, allows setting
a fine of 1,000 euros (one thousand euros) and 500 euros (five hundred euros), respectively.

Therefore, in accordance with the applicable legislation and having assessed the criteria for
graduation of sanctions whose existence has been proven,

the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: IMPOSE A.A.A., with NIF ***NIF.1, for an infraction of article 5.1.c)
of the RGPD, typified in article 83.5 a) of the RGPD, a fine of €1,000 (one thousand euros).

SECOND: IMPOSE A.A.A., with NIF ***NIF.1, for an infraction of article 13

of the RGPD, typified in article 83.5 b) of the RGPD, a fine of €500 (five hundred

C/ Jorge Juan, 6
28001 – Madrid, 10/11

THIRD: ORDER A.A.A., with NIF ***NIF.1 that, by virtue of article 58.2 d)
of the RGPD, within ten business days, take the following measures:

    - Prove that you proceeded to remove the cameras from the current location, or to
        the reorientation of these towards their particular area.

    - Prove that you have proceeded to place the informative poster in the areas
        video-monitored (at least the existence of a treatment must be identified,
        the identity of the controller and the possibility of exercising the rights provided

        in said precepts), locating this device in a sufficiently

    - Prove that you keep the information to which it refers available to those affected.
        refers to the aforementioned RGPD.

FOURTH: NOTIFY this resolution to A.A.A., with NIF ***NIF.1.

FIFTH: Warn the sanctioned party that he must enforce the sanctions imposed
Once this resolution is enforceable, in accordance with the provisions of
the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure

Common Public Administrations (hereinafter LPACAP), within the payment term
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, through its entry, indicating the NIF of the sanctioned and the number
of procedure that appears in the heading of this document, in the account

restricted number ES00 0000 0000 0000 0000 0000, opened on behalf of the Agency
Spanish Department of Data Protection in the banking entity CAIXABANK, S.A.. In case
Otherwise, it will be collected in the executive period.

Received the notification and once executed, if the date of execution is

between the 1st and 15th of each month, both inclusive, the term to make the payment
voluntary will be until the 20th day of the following month or immediately after, and if
between the 16th and last day of each month, both inclusive, the payment term
It will be until the 5th of the second following month or immediately after.

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the

Director of the Spanish Agency for Data Protection within a month from
counting from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the

Contentious-administrative jurisdiction, within a period of two months from the
day following the notification of this act, as provided in article 46.1 of the
aforementioned Law.

C/ Jorge Juan, 6
28001 – Madrid, 11/11

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the firm resolution in administrative proceedings if the
The interested party expresses his intention to file a contentious-administrative appeal.

If this is the case, the interested party must formally communicate this fact by
writing addressed to the Spanish Agency for Data Protection, presenting it through
Electronic Register of the Agency [

web/], or through any of the other registers provided for in art. 16.4 of the
aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the
documentation proving the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal

contentious-administrative within a period of two months from the day following the
notification of this resolution would end the precautionary suspension.


Sea Spain Marti
Director of the Spanish Data Protection Agency

28001 – Madrid 6