AEPD (Spain) - EXP202104917: Difference between revisions

From GDPRhub
No edit summary
 

Latest revision as of 12:41, 13 December 2023

AEPD - PS-00066-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 4(11) GDPR
Article 6 GDPR
Article 6(1) LOPDGDD
Type: Complaint
Outcome: Upheld
Started: 24.09.2021
Decided:
Published: 12.09.2022
Fine: 10,000 EUR
Parties: SOPHIE ET VOILA, S.L
National Case Number/Name: PS-00066-2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA concluded that a controller violated Article 6 GDPR after publishing a photo on Instagram without a valid legal basis. The DPA imposed a €10,000 fine on the controller.

English Summary

Facts

On 24 September 2021, the complainant turned to the Spanish DPA alleging a violation of the right to protection of personal data as a result of a wedding dress company (the controller) posting a photograph of the complainant without their consent on Instagram. The photo included a man with a woman in a wedding dress designed by the controller company.

Following an initial complaint, the controller removed the picture within an hour of posting and re-uploaded it after covering the face of the complainant with a black circle. Eventually, the controller removed the photo permanently upon having received payment for the dress.

On 14 January 2022, the controller submitted to the Spanish DPA a claim that the complainant was not identifiable anymore in the photograph in question, hence the photograph did not contain personal data within the meaning of Article 4(1) GDPR. Moreover, the controller pointed out that Instagram offers the possibility to report a picture posted by a third party, which the complainant never made use of.

Finally, the controller claimed that the complainant gave their consent to the publishing of the photograph by reposting it on their own account. They also alleged to have legitimate interest in the publication of the photograph because the controller wanted to collect payment for the dress.

Holding

First, the Spanish DPA recalled the conditions for valid consent under Article 4(11) GDPR and Article 6(1) LOPDGDD (National data protection law aimed at the implementation of the GDPR). In both articles, consent is defined as "any manifestation of free, specific, informed and unequivocal will" expressed through a statement or clear affirmative action. Further, it stated that consent is one of the valid legal bases under Article 6 GDPR.

In this regard, the DPA noted that there was no valid consent given by the complainant as the reposting or tagging in social media posts cannot count as clear affirmative action. Moreover, the lack of payment did not legitimise the controller to use the images of the complainant without their express consent. Therefore, the DPA concluded that there was no valid legal basis for the processing of personal data in form of publishing photographs of the complainant on Instagram.

The DPA imposed a €10,000 fine on the controller for violating Article 6 GDPR.


Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.


1/10
 File No.: EXP202104917
RESOLUTION OF PUNISHMENT PROCEDURE
Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following
BACKGROUND
FIRST: A.A.A. (hereinafter, the complaining party) dated September 24,
2021 filed a claim with the Spanish Data Protection Agency.
The claim is directed against SOPHIE ET VOILA, S.L. with NIF B95827952 (in
hereafter, the party claimed).
The reason on which the claim is based is that the respondent party has published in
Instagram a photo showing the claimant dressed in her wedding attire.
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, of Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), on November 29, 2021, said communication was
claim to the claimed party, so that it proceeded to its analysis and inform the
this Agency within a month, of the actions carried out to adapt to
the requirements set forth in the data protection regulations.
On January 14, 2022, in response to the aforementioned request, the party claimed
indicates that at no time are the claimants identified, since the photographs
they only showed the figures of two people, a man and a woman, with their faces totally
covered by a black circle that did not make them identifiable.
Said entity considers that for there to be an infringement of the rights conferred
in the RGPD, there must be a treatment of the personal data of the claimants,
and the publication of a photograph, which has been deliberately modified so as not to
make its members recognizable, cannot be considered a treatment
illicit, on the contrary, it could be proof of the security measures adopted, in this
case, the anonymization of the data and guarantee their confidentiality.
He supports his statements alleging that article 4 of the aforementioned RGPD under the rubric
“Definitions” means personal data “all information about a natural person
identified or identifiable ("the interested party"); shall be considered an identifiable natural person
any person whose identity can be determined, directly or indirectly, in
by an identifier, such as a name, phone number,
identification, location data, an online identifier, or one or more elements
own physical, physiological, genetic, mental, economic, cultural or
social status of that person.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
2/10
It is stated that the anonymized images of the complainants cannot be considered
personal data and, therefore, its publication cannot be considered a treatment
subject to the GDPR.
It also considers that in the surprising event that it were understood that the
images that appear in the photograph are personal data, the
terms and conditions of the social network (Instagram) that contemplate the possibility of
that a user can publish photos in which third parties appear, offering a way
to report such uses in case of not agreeing with them, via the
claimants did not exercise.
He concludes by pointing out that the images were published for less than an hour, for
which again in the event that the existence of a treatment of
personal data contrary to the RGPD, the infringement would lack sufficient entity and
that, in any case, if the arguments of the complainant were taken into account,
perhaps it would be convenient to assess article 76.2.d) of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights.
THIRD: On December 24, 2021, in accordance with article 65 of
the LOPDGDD, the claim presented by the claimant was admitted for processing.
FOURTH: On April 1, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure against the claimed party,
for the alleged infringement of Article 6 of the RGPD, typified in Article 83.5 of the
GDPR.
FIFTH: Notification of the aforementioned start-up agreement in accordance with the rules established in
Law 39/2015, of October 1, on the Common Administrative Procedure of the
Public Administrations (hereinafter, LPACAP), the respondent filed a written
of allegations in which, in summary, it states that the complainant published her
photography on August 29 and tagged Sophie et Voilá.
The entity complained against considers that the labeling by the complainant to the entity
claimed on Instagram, without a doubt it is a clear action in which the
complainant is interested in making public that our client is responsible
of making your dress.
As can be seen from the facts, Sophie et Voilá reposts the publication of the
complainant on August 29, without the complainant having shown any type of
annoyance, it is more on September 25 again publishes another photograph and also
tag Sophie et Voilá, which shows your complete compliance with the work
of my represented and of course with the reposting of them.
This action is a free and positive affirmative action by the party
claimant by labeling my client who should be 11 considered as a
consent in the publication of the images by my client.
SIXTH: On May 25, 2022, the instructor of the procedure considers
reproduced for evidentiary purposes the claim filed by the claimant and its
documentation, the documents obtained and generated and are considered reproduced at
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
3/10
evidentiary purposes, the allegations to the agreement to initiate the procedure
sanctioning referenced, presented by SOPHIE ET VOILA, S.L., and the
accompanying documentation.
SEVENTH: On May 31, 2022, a resolution proposal was formulated,
proposing that the Director of the Spanish Data Protection Agency sanction
to SOPHIE ET VOILA, S.L., with NIF B95827952, for an infringement of article 6 of the
RGPD, typified in article 83.5 of the RGPD, with a fine of €10,000 (ten thousand
euros).
Of the actions carried out in this procedure and the documentation
in the file, the following have been accredited:
PROVEN FACTS
FIRST: A photo showing the complaining party has been published on Instagram
dressed in her wedding dress, by the entity that made her dress,
to get it paid.
The images published by the complained party if they were identifiable, and the objective of
his post was to collect sales of purchased wedding suits.
SECOND: The entity claimed alleges that said photos were posted by the
claimant previously and that when the claimed party in turn posted such
images pixelated his face.
FOUNDATIONS OF LAW
Yo
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47 and 48.1 of the Law
Organic 3/2018, of December 5, on the Protection of Personal Data and guarantee of
digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve
this procedure the Director of the Spanish Data Protection Agency.
Likewise, article 63.2 of the LOPDGDD determines that: “The procedures
processed by the Spanish Agency for Data Protection will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations issued in its development and, as long as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures.”
II
Article 4.11 of the RGPD defines the consent of the interested party as "any
manifestation of free, specific, informed and unequivocal will by which the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
4/10
The interested party accepts, either by means of a declaration or a clear affirmative action, the
processing of personal data concerning you”.
In this sense, article 6.1 of the LOPDGDD, establishes that "in accordance with the
provided in article 4.11 of Regulation (EU) 2016/679, consent is understood
affected person, any manifestation of free, specific, informed and inappropriate will.
equivocal by which he accepts, either through a statement or a clear action
affirmative, the treatment of personal data that concerns you”.
For its part, article 6 of the GDPR establishes the following:
"1. The processing will only be lawful if at least one of the following conditions is met:
nes:
a) the interested party gave their consent for the processing of their personal data
for one or more specific purposes;
b) the treatment is necessary for the execution of a contract in which the interested party
is part of or for the application at the request of the latter of pre-contractual measures;
c) the treatment is necessary for the fulfillment of a legal obligation applicable to the
data controller;
d) the treatment is necessary to protect the vital interests of the interested party or another
Physical person;
e) the treatment is necessary for the fulfillment of a mission carried out in the interest
public or in the exercise of public powers vested in the data controller;
f) the treatment is necessary for the satisfaction of legitimate interests pursued
by the data controller or by a third party, provided that said interests
interests do not prevail or the fundamental rights and freedoms of the interest
cases that require the protection of personal data, in particular when the interested
sado be a child.
The provisions of letter f) of the first paragraph shall not apply to the processing
carried out by public authorities in the exercise of their functions.”
III
In the present case, the complaining party denounces the defendant because he has
posted on Instagram a photo showing the claimants dressed in their
wedding suits
According to the party complained against, in the photo the complaining party's face is totally
covered by a black circle.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
5/10
The respondent states that she has been publishing her designs since 2014 on Instagram and that the
The basis that legitimizes the treatment is the legitimate interest.
In addition, he states that the photo was published for an hour and was removed when the
bride finally paid for her wedding dress.
The entity claimed states that recital 26 of the RGPD establishes the
Next:
“The principles of data protection must apply to all information relating to
to an identified or identifiable natural person.
Pseudonymized personal data, which could be attributed to a natural person
through the use of additional information, should be considered information about
an identifiable natural person.
In determining whether a natural person is identifiable, all
the means, such as singularization, that the person in charge can reasonably use
of the treatment or any other person to identify directly or indirectly the
Physical person.
To determine whether there is a reasonable probability that means will be used to
identify a natural person, all objective factors must be taken into account,
as the costs and time required for identification, taking into account both
technology available at the time of treatment such as advances
technological.
Therefore, data protection principles should not apply to information
anonymous, i.e. information that is not related to a natural person
identified or identifiable, nor to the data anonymised in such a way that the
interested party is not identifiable, or ceases to be so.
Consequently, this Regulation does not affect the treatment of such
anonymous information, including for statistical or research purposes. “
Well, applying this definition and the aforementioned recital, we cannot understand
that the photographs in which the faces of those who appear are covered comply with
none of these requirements, since the bridal attire of both claimants did not
makes them identifiable in any case.
It must be taken into account that the complainant published her photograph on Instagram on the day
August 29, 2020 and tagged the claimed entity.
The labeling of my client is undoubtedly a clear action in which the company itself
complainant is interested in making public that our client is responsible
of making your dress.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
6/10
As can be seen in the facts, the claimed entity reposts the publication
of the complainant on August 29, 2020, without the complainant having shown
no kind of hassle, it is more on September 25, 2020 again publish another
photograph and also tag the claimed entity, proving its complete
in accordance with the work of my representative and of course with the reposting of the
themselves.
This action, which we will discuss later, is a free affirmative action and in
positive on the part of the claimant when labeling my client that must be
considered as a consent in the publication of the images by
My client.
In relation to the anonymization action of the images or their pixelation, we must
bear in mind that on several occasions the Spanish Protection Agency itself
of Data recommends this type of techniques for the publication of images in the
media.
For example, recently the AEPD, coinciding with the confinement situation,
recalled the risks of spreading images of people on social networks and
recommended that digital parameters be used that prevent distinguishing features
facials.
The respondent states that she has been publishing her designs since 2014 on Instagram and that the
The basis that legitimizes the treatment is the legitimate interest.
In addition, he states that the photo was published for an hour and was removed when the
bride finally paid for her wedding dress.
This Agency considers that the images published by the claimed party, if they were
identifiable and therefore were published on Instagram by the claimed with the
purpose of charging for sales made,
In this sense, it must be indicated that the lack of payment does not legitimize the claimed party to
use the images of the claimants, if you do not have their express consent,
therefore, an illicit treatment of personal data has been incurred.
In addition, the personal data obtained from a
social network or internet, without the concurrence of any of the bases of legitimacy foreseen
in art. 6 of the GDPR.
Therefore, it is considered that we are facing an illicit treatment of personal data,
since in this case the respondent did not even attempt to obtain consent
of the claimants for the use of their image, since they considered that they had an interest
legitimate for its treatment.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
7/10
Its non-compliance supposes the infringement of article 6 of the RGPD indicated in the
basis of law II, since the personal data have been processed without counting
with no kind of legitimacy.
IV
Article 72.1 b) of the LOPDGDD states that “according to what is established in the
article 83.5 of Regulation (EU) 2016/679, are considered very serious and will prescribe
after three years the infractions that suppose a substantial violation of the
articles mentioned therein and, in particular, the following:
b) The processing of personal data without the concurrence of any of the conditions of
legality of the treatment established in article 6 of Regulation (EU) 2016/679.”
v
In order to determine the administrative fine to be imposed, the
provisions of articles 83.1 and 83.2 of the RGPD, precepts that indicate:
“Each control authority will guarantee that the imposition of administrative fines
under this Article for infringements of this Regulation
indicated in sections 4, 5 and 6 are in each individual case effective,
proportionate and dissuasive.”
“Administrative fines will be imposed, depending on the circumstances of each
individual case, in addition to or as a substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administration and its amount in each individual case will be duly taken into account:
a) the nature, seriousness and duration of the offence, taking into account the
nature, scope or purpose of the processing operation in question as well
such as the number of interested parties affected and the level of damages that
have suffered;
b) intentionality or negligence in the infringement;
c) any measure taken by the controller or processor to
alleviate the damages suffered by the interested parties;
d) the degree of responsibility of the person in charge or of the person in charge of the treatment,
taking into account the technical or organizational measures that they have applied under
of articles 25 and 32;
e) any previous infringement committed by the person in charge or the person in charge of the treatment;
f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;
g) the categories of personal data affected by the infringement;
h) the way in which the supervisory authority became aware of the infringement, in
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
8/10
particular whether the person in charge or the person in charge notified the infringement and, if so, in what
measure;
i) when the measures indicated in article 58, section 2, have been ordered
previously against the person in charge or the person in charge in question in relation to the
same matter, compliance with said measures;
j) adherence to codes of conduct under article 40 or mechanisms of
certification approved in accordance with article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, directly or
indirectly, through the infringement.”
Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76,
“Sanctions and corrective measures”, provides:
"two. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
may also be taken into account:
a) The continuing nature of the offence.
b) The link between the activity of the offender and the performance of treatment of
personal information.
c) The profits obtained as a result of committing the offence.
d) The possibility that the conduct of the affected party could have induced the commission
of the offence.
e) The existence of a merger by absorption process subsequent to the commission of the
infringement, which cannot be attributed to the absorbing entity.
f) Affectation of the rights of minors.
g) Have, when not mandatory, a data protection delegate.
h) Submission by the person in charge or person in charge, on a voluntary basis, to
alternative conflict resolution mechanisms, in those cases in which
there are controversies between them and any interested party.”
In accordance with the precepts transcribed, in order to set the amount of the sanction of
fine to be imposed on SOPHIE ET VOILA, S.L. with NIF B95827952, as responsible for
an infringement typified in article 83.5.a) of the RGPD, they are considered concurrent in the
present case, as aggravating factors, the following factors:
-there has been intentionality, since they indicate that they removed the images when paying for the suit
bridal, in accordance with article 83.2 b of the RGPD.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
9/10
This infraction can be sanctioned with a fine of €20,000,000 maximum or,
in the case of a company, an amount equivalent to a maximum of 4% of the
global total annual turnover of the previous financial year, opting for the
of greater amount, in accordance with article 83.5 of the RGPD.
Pursuant to these criteria, it is considered appropriate to impose on the defendant entity
a penalty of 10,000 euros (ten thousand euros), for the infringement of article 6 of the
RGPD, regarding the processing of personal data, without the consent of the
affected. In accordance with the foregoing, by the Director of the Agency
Spanish Data Protection
Therefore, in accordance with the applicable legislation and having assessed the criteria for
graduation of sanctions whose existence has been proven,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: IMPOSE SOPHIE ET VOILA, S.L., with NIF B95827952, for a
infringement of article 6 of the RGPD, typified in article 83.5 of the RGPD, a fine
of 10,000 euros (ten thousand euros).
SECOND: NOTIFY this resolution to SOPHIE ET VOILA, S.L.
THIRD: Warn the sanctioned party that he must make the imposed sanction effective once
Once this resolution is enforceable, in accordance with the provisions of the
Article 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter LPACAP), within the payment term
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, through its entry, indicating the NIF of the sanctioned and the number
of procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000, opened on behalf of the Agency
Spanish Department of Data Protection in the banking entity CAIXABANK, S.A.. In case
Otherwise, it will be collected in the executive period.
Received the notification and once executed, if the date of execution is
between the 1st and 15th of each month, both inclusive, the term to make the payment
voluntary will be until the 20th day of the following month or immediately after, and if
between the 16th and last day of each month, both inclusive, the payment term
It will be until the 5th of the second following month or immediately after.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month from
counting from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
10/10
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the
day following the notification of this act, as provided in article 46.1 of the
aforementioned Law.
Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the firm resolution in administrative proceedings if the
The interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact by
writing addressed to the Spanish Agency for Data Protection, presenting it through
Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registers provided for in art. 16.4 of the
aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the
documentation proving the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would end the precautionary suspension.
938-050522
Sea Spain Marti
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es