AEPD (Spain) - EXP202205353: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 58: Line 58:
}}
}}


Association that disclosed personal data of one of its members in a Whatsapp group was fined €3,000 for violating [[Article 5 GDPR#1f|Articles 5(1)(f)]] and [[Article 32 GDPR|32 GDPR]].
An association that disclosed personal data of one of its members in a Whatsapp group was fined €3,000 for violating [[Article 5 GDPR#1f|Articles 5(1)(f)]] and [[Article 32 GDPR|32 GDPR]].


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The data subject was a member of the Hunters Association of Alzira, the controller, and sent a letter to its president requesting access to the accounting books.  
The data subject was a member of the Hunters Association of Alzira, the controller, and sent a letter to its president requesting access to the accounting books. The president then shared this letter in a Whatsapp group formed by 195 associates, together with private conversations with the data subject. The data subject filed a complaint with the Spanish DPA.  
 
The president then shared this letter in a Whatsapp group formed by 195 associates, together with private conversations with the data subject.
 
The data subject felt that their privacy was violated and filed a complaint with the Spanish DPA.


=== Holding ===
=== Holding ===

Revision as of 07:12, 7 June 2023

AEPD - EXP202205353
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
Type: Complaint
Outcome: Upheld
Started: 15.04.2022
Decided: 28.04.2023
Published: 28.04.2023
Fine: 3,000 EUR
Parties: n/a
National Case Number/Name: EXP202205353
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Mgrd

An association that disclosed personal data of one of its members in a Whatsapp group was fined €3,000 for violating Articles 5(1)(f) and 32 GDPR.

English Summary

Facts

The data subject was a member of the Hunters Association of Alzira, the controller, and sent a letter to its president requesting access to the accounting books. The president then shared this letter in a Whatsapp group formed by 195 associates, together with private conversations with the data subject. The data subject filed a complaint with the Spanish DPA.

Holding

The DPA highlighted that the WhatsApp group in question should limit itself solely to the sharing of information that is necessary for the fulfillment of the ends of the association. Therefore, it held that personal data were unduly disclosed to third parties, violating the principle of integrity and confidentiality.

Similarly, it found that the Association had not implemented sufficient security measures, in view of the potential risks involved in the data processing activity.

For these reasons, the DPA imposed a fine of: a) €2,000 for the violation of Article 5(1)(f) GDPR; b) €1,000 for the violation of Article 32 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

File No.: EXP202205353
RESOLUTION OF SANCTIONING PROCEDURE
Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following
BACKGROUND
FIRST: D.A.A.A. (hereinafter, the claiming party) dated April 15, 2022
filed a claim with the Spanish Data Protection Agency. The
claim is directed against ASSOCIACIO DE CAÇADORS D'ALZIRA with NIF
G96965223 (hereinafter, the ASSOCIATION). The reasons on which the claim is based
are the following:
The person in charge of the association of hunters of Alzira makes public in a group of
WhatsApp made up of 195 partners, the brief submitted by the claimant
requesting the account books from the association, emphasizing that the partner who
had requested it is the number XXX known because according to what he indicates in his messages that
they lost the elections.
In the conversation held in the WhatsApp group, the person responsible for the said
association indicates that the events that occurred are intended to attack and
threaten the current board of directors, and he himself makes a copy and paste spreading
in the group the private conversation, without the authorization of the complaining party.
Whereupon, the complaining party in the same WhatsApp group puts in
knowledge of all partners that there has been a violation of rights,
Therefore, it will proceed to file a claim with the Spanish Protection Agency
of data.
Together with the notification, screenshots of the conversation held in the
WhatsApp group mentioned.
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereafter LOPDGDD), said claim was transferred to the ASSOCIATION, for
to proceed with its analysis and inform this Agency within a month of the
actions carried out to adapt to the requirements established in the regulations of
Data Protection.
The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of
October 1, of the Common Administrative Procedure of the Administrations
Public (hereinafter, LPACAP) by electronic notification, which was not collected
by the person in charge, within the period of making them available, meaning
rejected in accordance with the provisions of art. 43.2 of the LPACAP dated May 22
of 2022, as stated in the certificate that is in the file.
Although the notification was validly made by electronic means, assuming that
carried out the procedure in accordance with the provisions of article 41.5 of the LPACAP, under
informative, a copy was sent by certified postal mail that was returned by
“absent”, after two delivery attempts.
THIRD: On June 28, 2022, in accordance with article 65 of the
LOPDGDD, the claim presented by the claimant party was admitted for processing.
FOURTH: On July 15, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate disciplinary proceedings against the claimed party,
for the alleged violation of article 5.1.f) of the GDPR and article 32 of the GDPR,
typified in article 83.5 and 83.4 of the GDPR.
The initiation agreement, which was carried out in accordance with the norms established in the Law
39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations (hereinafter, LPACAP) by means of electronic notification,
that it was not collected by the person in charge, within the period of making it available,
being understood rejected in accordance with the provisions of art. 43.2 of the LPACAP in
dated July 18 of that same year, as stated in the certificate that is in the
proceedings.
Although the notification was validly made by electronic means, it was reiterated by
Certified postal mail that was returned "absent" after two delivery attempts.
Finally, and given the impossibility of making the notification, it was done through
announcement published in the "Official State Gazette" on October 21, 2022.
in accordance with the provisions of art. 44 of the LPACAP.
FIFTH: Notified of the aforementioned start-up agreement in accordance with the rules established in
Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (hereinafter, LPACAP) and after the period granted
for the formulation of allegations, it has been verified that no allegation has been received
any by the claimed party.
Article 64.2.f) of the LPACAP -provision of which the claimed party was informed
in the agreement to open the procedure - establishes that if no
arguments within the established term on the content of the initiation agreement, when
it contains a precise pronouncement about the imputed responsibility,
may be considered a resolution proposal. In the present case, the agreement of
beginning of the disciplinary file determined the facts in which the
imputation, the infringement of the GDPR attributed to the defendant and the sanction that could
impose. Therefore, taking into consideration that the claimed party has not
made allegations to the agreement to start the file and in attention to what
established in article 64.2.f) of the LPACAP, the aforementioned initiation agreement is
considered in the present case resolution proposal.
In view of all the proceedings, by the Spanish Agency for Data Protection
In this proceeding, the following are considered proven facts:
PROVEN FACTS
FIRST: It is accredited in the file that the personal data of the party
claimant were improperly disseminated to third parties through a conversation
from a WhatsApp group created by the ASSOCIATION.
SECOND: It is accredited in the file that was disseminated by WhatsApp the
conversation with the documentation that member no. XXX of the previous board of directors
chaired by Mr. José Antonio Ferrer sent to the ASSOCIATION by the claimant
FUNDAMENTALS OF LAW
Yo
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter GDPR), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with character
subsidiary, by the general rules on administrative procedures."
II
Article 5.1.f) of the GDPR
Article 5.1.f) "Principles relating to processing" of the GDPR establishes:
"1. Personal data will be:
(…)
f) processed in such a way as to ensure adequate security of personal data, including protection against unauthorized or unlawful processing and against their
accidental loss, destruction or damage, through the application of technical or
appropriate organizational procedures (“integrity and confidentiality”).”
In the present case, it is clear that the personal data of the complaining party, obtained
in the ASSOCIATION's database, were improperly disseminated to third parties through
through a conversation in a WhatsApp group, violating the principle of
confidentiality; although there is no record of whether or not subsequent use has occurred, for
part of third parties, of the personal information of the complaining party.
II
Classification of the infringement of article 5.1.f) of the GDPR
The aforementioned infringement of article 5.1.f) of the GDPR supposes the commission of the infringements
typified in article 83.5 of the GDPR that under the heading "General conditions
for the imposition of administrative fines” provides:
Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, an amount equal to a maximum of 4% of the volume of
overall annual total business of the previous financial year, opting for the one with the highest
amount:
a) the basic principles for processing, including the conditions for consent under Articles 5, 6, 7 and 9; (…)”
In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that:
"The acts and behaviors referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic law”.
For the purposes of the limitation period, article 72 "Infractions considered very serious" of the LOPDGDD indicates:
"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
are considered very serious and will prescribe after three years the infractions that
a substantial violation of the articles mentioned therein and, in particular, the
following:
a) The processing of personal data in violation of the principles and guarantees established in article 5 of Regulation (EU) 2016/679. (…)”
IV.
Penalty for violation of article 5.1.f) of the GDPR
For the purposes of imposing an administrative fine and its amount, it is considered that
the infringement in question is serious for the purposes of the GDPR and that it is necessary to graduate the
sanction to be imposed in accordance with the criteria established in article 83.2 of the
GDPR.
Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the
criteria established in section 2 of article 76 "Sanctions and corrective measures"
of the LOPDGDD.
The balance of the circumstances contemplated in article 83.2 of the RGPD and article 76.2 of the LOPDGDD, with respect to the offense committed by violating the provisions of article 5.1.f) of the RGPD, allow a penalty of €2,000 (TWO THOUSAND
EURO).
V
GDPR Article 32
Article 32 "Security of treatment" of the GDPR establishes:
"1. Taking into account the state of the art, the costs of application, and the nature, scope, context and purposes of the treatment, as well as probability risks
and variable severity for the rights and freedoms of natural persons, the person in charge and the person in charge of the treatment will apply appropriate technical and organizational measures to guarantee a level of security appropriate to the risk, which, where appropriate, includes, among others:
a) the pseudonymization and encryption of personal data;
b) the capacity to guarantee the permanent confidentiality, integrity, availability and resilience of the processing systems and services;
c) the ability to quickly restore availability and access to personal data in the event of a physical or technical incident;
d) a process of regular verification, evaluation and assessment of effectiveness
of the technical and organizational measures to guarantee the security of the treatment.
2. When evaluating the adequacy of the level of security, particular account will be taken of the risks presented by data processing, in particular as a consequence
of the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or processed in another way, or unauthorized communication or access to such data.
3. Adherence to a code of conduct approved under article 40 or to a certification mechanism approved under article 42 may serve as an element for
demonstrate compliance with the requirements established in section 1 of this
article.
4. The controller and the processor shall take measures to ensure that
any person acting under the authority of the controller or processor and having access to personal data may only process such data on instructions
of the controller, unless it is required to do so by Union law or by
the Member States”.
In the present case, at the time of the security breach, there is no record
that the ASSOCIATION have reasonable security measures based on
the estimated possible risks.
It is noteworthy that the WhatsApp group of the ASSOCIATION should be limited only to disseminating the information necessary for the fulfillment of the purposes of the association.
Consequently, broadcast the conversation via WhatsApp with the documentation that the
partner no. XXX of the previous board chaired by D. B.B.B. sent to the ASSOCIATION
by the claimant requesting the association's account book, does not guarantee the confidentiality, integrity and availability of the treatment systems and services.
SAW
Classification of the infringement of article 32 of the GDPR
The aforementioned infringement of article 32 of the RGPD supposes the commission of the infractions typified in article 83.4 of the RGPD that under the rubric "General conditions for
the imposition of administrative fines” provides:
Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 10,000,000 or, in the case of a company, an amount equal to a maximum of 2% of the volume of
overall annual total business of the previous financial year, opting for the one with the highest
amount:
5) the obligations of the person in charge and the person in charge according to articles 8,
11, 25 to 39, 42 and 43; (…)”
In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that "The acts and conducts referred to in sections 4, 5 and 6 constitute infractions
of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to
the present organic law”.
For the purposes of the limitation period, article 73 "Infractions considered serious"
of the LOPDGDD indicates:
"Based on the provisions of article 83.4 of Regulation (EU) 2016/679, infractions that involve a substantial violation of the articles mentioned therein, and in particular, the following, are considered serious and shall prescribe after two years:
…
g) The breach, as a consequence of the lack of due diligence, of the
technical and organizational measures that have been implemented as required
by article 32.1 of Regulation (EU) 2016/679”.
VII
Penalty for violation of article 32 of the GDPR
For the purposes of imposing an administrative fine and its amount, it is considered that
the infringement in question is serious for the purposes of the GDPR and that it is necessary to graduate the
sanction to be imposed in accordance with the criteria established in article 83.2 of the
GDPR.
Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the
criteria established in section 2 of article 76 "Sanctions and corrective measures"
of the LOPDGDD.
The balance of the circumstances contemplated in article 83.2 of the GDPR and article 76.2 of the LOPDGDD, with respect to the offense committed by violating the provisions of article 32 of the GDPR, allow a penalty of €1,000 (THOUSAND EUROS).
Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of sanctions whose existence has been accredited,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: IMPOSE ASSOCIACIO DE CAÇADORS D'ALZIRA, with NIF
G96965223, for a violation of Article 5.1.f) of the GDPR typified in article
83.5 of the GDPR, a fine of €2,000 (TWO THOUSAND EUROS).
TO IMPOSE ASSOCIACIO DE CAÇADORS D'ALZIRA, with NIF G96965223, for a
violation of Article 32 of the GDPR typified in Article 83.4 of the GDPR, a fine
of €1,000 (THOUSAND EUROS).
SECOND: NOTIFY this resolution to ASSOCIACIO DE CAÇADORS
D'ALZIRA.
THIRD: Warn the penalized person that they must make the imposed sanction effective
Once this resolution is enforceable, in accordance with the provisions of Article
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by means of its income, indicating the NIF of the sanctioned and the number
of procedure that appears in the heading of this document, in the account
restricted IBAN number: ES00 0000 0000 0000 0000 0000 (BIC/SWIFT Code:
XXXXXXXXXXXX), opened on behalf of the Spanish Agency for Data Protection in
the banking entity CAIXABANK, S.A. Otherwise, it will proceed to its
collection in executive period.
Once the notification has been received and once executed, if the execution date is
between the 1st and 15th of each month, both inclusive, the term to make the payment
voluntary will be until the 20th day of the following or immediately following business month, and if
between the 16th and the last day of each month, both inclusive, the payment term
It will be until the 5th of the second following or immediately following business month.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once the interested parties have been notified.
Against this resolution, which puts an end to the administrative process in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reversal before the
Director of the Spanish Agency for Data Protection within a period of one month from
count from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.
Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the firm resolution in administrative proceedings if the
The interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through
of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronicaweb/], or through any of the other registries provided for in art. 16.4 of the
aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the
documentation proving the effective filing of the contentious-administrative appeal. If the Agency was not aware of the filing of the appeal
contentious-administrative proceedings within a period of two months from the day following the
Notification of this resolution would terminate the precautionary suspension.
938-181022
Mar Spain Marti
Director of the Spanish Data Protection Agency