AEPD (Spain) - EXP202206825: Difference between revisions

From GDPRhub
No edit summary
 
(One intermediate revision by the same user not shown)

Latest revision as of 13:27, 13 December 2023

AEPD - PS-00450-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: 1,500 EUR
Parties: n/a
National Case Number/Name: PS-00450-2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: PS-00450-2022 (in ES)
Initial Contributor: sh

The Spanish DPA fined a landlord €1,500 for installing a camera, which captured a shared area, with only partial consent from all the affected tenants. This resulted in a breach of Article 6(1) GDPR.

English Summary

Facts

The landlord, with the consent of a tenant, installed a camera the façade of a shared villa which captured both a shared swimming pool and terrace. However, the other tenants in the same villa were not notified nor asked to consent to the installation of the cameras. One of them complained to the Spanish DPA.

Holding

The Spanish DPA initially found a breach under Article 5(1)(b) and (c) GDPR and fined the landlord €300. They also ordered the removal of the camera. The landlord ignored this request. On a second review of the case, the Spanish DPA raised the fine to €1,500 and changed the infringement to the lack of a legal basis under Article 6(1) GDPR. The camera was ordered to be removed within 10 working days.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/11








     File No.: EXP202206825



                RESOLUTION OF SANCTIONING PROCEDURE

From the procedure instructed by the Spanish Data Protection Agency and based
to the following


                                   BACKGROUND

FIRST: On 06/13/2022, a document submitted to this Agency was entered
by A.A.A. (hereinafter, the complaining party), through which the claim is made
vs. B.B.B. with NIF ***NIF.1 (hereinafter, the claimed part), for the installation of
a video surveillance system located in ***ADDRESS.1, there being indications of a

possible non-compliance with the provisions of the data protection regulations of
personal character.

The reasons underlying the claim are the following:


“A camera has been placed on the interior façade of the house located in
***ADDRESS 1. This home is a single-family chalet in which 3 of us live.
tenants leased to Mr. B.B.B.. This house has a terrace and swimming pool for use
shared.

The aforementioned B.B.B., with the collaboration of C.C.C. has installed a camera on the facade

of the aforementioned C.C.C..

The camera is focused on the shared-use terrace and pool. these spaces
They are available to the tenants of the chalet in which we live. Said chalet consists
of 3 separate rooms or “houses”. We live in one, in another C.C.C. and D.D.D.,

and in the last E.E.E.. B.B.B. He is the owner of the entire chalet.

The installation of the camera has not been notified, nor have they asked for consent to
record us. My wife, my daughter under 8 years old and I live in our home. (…)”


Attached is a photographic report of the location of the video surveillance camera and the
affected areas

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), on 06/16/2022 said claim was transferred to the party

claimed, so that it could proceed with its analysis and inform this Agency within the period
of one month, of the actions carried out to adapt to the planned requirements
in data protection regulations.

The transfer, which was carried out in accordance with the rules established in Law 39/2015, of

October 1, of the Common Administrative Procedure of Administrations
Public (hereinafter, LPACAP), was collected on 06/27/2022 as stated in the
acknowledgment of receipt that appears in the file, without having been received by the Agency
response to it.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/11









THIRD: On 08/19/2022, in accordance with article 65 of the LOPDGDD,
The claim presented by the complaining party was admitted for processing.


FOURTH: On 11/14/2022, the Director of the Spanish Protection Agency
of Data agreed to initiate sanctioning proceedings against the claimed party, in accordance with
the provisions of articles 63 and 64 of LPACAP, for the alleged violation of the article
5.1.c) of Regulation (EU) 2016/679 (General Data Protection Regulation,
typified in article 83.5.a) of the RGPD. A fine was set as an initial assessment

administrative fee of €300 and, as a possible measure, the removal of the device from the place
current or regularization in accordance with current regulations.

FIFTH: The notification of the agreement to initiate this sanctioning procedure
It was delivered on 11/15/2022 and, after the period granted for the formulation of

allegations, it has been confirmed that no allegations have been received from the party
claimed.

SIXTH: On 04/27/2023, a proposed resolution was formulated in which, as
As a result of the investigation, it was considered that the legal classification of the facts
acquaintances had to be different. Thus, it was proposed to impose a fine of €5,000 on the

claimed party, for the violation of article 6.1 of the RGPD due to the lack of basis
legal entity that legitimizes the processing of personal data of the complaining party (your
image).

Likewise, it was ordered that, within a period of ten business days from the date on which the

resolution in which it so agrees is notified, the claimed party proves having
proceeded to remove the camera from its current location.

SEVENTH: On 05/17/2023 the requested party was notified of the proposed resolution,
without any response having been received from this Agency.



                                PROVEN FACTS

FIRST: Installation of a white video surveillance camera on top of
the facade of the chalet owned by the claimed party, located at ***ADDRESS.1,
oriented towards the exterior areas of the plot.


SECOND: In the photograph taken by the complaining party from the position of the
camera, it is proven that the device in question focuses towards the area of the
pool and terrace.



                           FOUNDATIONS OF LAW

                                            Yo
                          Competition and applicable regulations


In accordance with the powers that article 58.2 of the RGPD grants to each authority of
control and in accordance with the provisions of articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD,
The Director of the Agency is competent to initiate and resolve this procedure.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/11








Spanish Data Protection.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures

processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."

                                            II

                                   Previous issues

Article 4 “Definitions” of the GDPR defines the following terms for the purposes of
Regulation:


"1) 'personal data': any information about an identified natural person or
identifiable ("the interested party"); Any person will be considered an identifiable natural person
whose identity can be determined, directly or indirectly, in particular by
an identifier, such as a name, an identification number, data
location, an online identifier or one or more elements of identity
physical, physiological, genetic, mental, economic, cultural or social of said person;”


“2) “treatment”: any operation or set of operations performed on
personal data or sets of personal data, whether by procedures
automated or not, such as the collection, registration, organization, structuring,
conservation, adaptation or modification, extraction, consultation, use,

communication by transmission, broadcast or any other form of enabling
access, collation or interconnection, limitation, deletion or destruction;”

In the present case, in accordance with article 4.1 of the GDPR, the physical image of a
person is personal data. In this way, the images generated by a system

of cameras or video cameras are personal data, so their processing
is subject to data protection regulations.

                                            III
                     Legality of the processing of personal data


Article 18 section 4 EC provides: “The law will limit the use of information technology to
guarantee the honor and personal and family privacy of citizens and the full
exercise of their rights.”

Recital 40 of the GDPR states that “For the processing to be lawful, the

Personal data must be processed with the consent of the interested party or on
any other legitimate basis established in accordance with Law, whether in the present
Regulation or under other law of the Union or of the Member States to which
referred to in this Regulation, including the need to comply with the legal obligation
applicable to the person responsible for the treatment or to the need to execute a contract with

to which the interested party is a party or in order to take measures at the request of the
interested prior to the conclusion of a contract.”



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/11








For its part, the principles that must govern the treatment are listed
in article 5 of the GDPR. In this sense, section 1 letter a), states that: “The
personal data will be:


    a) Treated in a lawful, loyal and transparent manner in relation to the interested party
        (legality, loyalty and transparency);

        (…)”


The principle of legality is fundamentally regulated in article 6 of the GDPR. The
assumptions that allow the processing of personal data to be considered lawful
listed in article 6.1 of the GDPR:

1. Treatment will only be legal if at least one of the following conditions is met.

nes:

    a) the interested party gave his/her consent to the processing of his/her personal data.
        them for one or more specific purposes;

    b) the processing is necessary for the execution of a contract in which the interested party

        sado is a party or for the application at his request of pre-contractual measures.
        them;

    c) the treatment is necessary for compliance with an applicable legal obligation.
        ble to the person responsible for the treatment;


    d) the processing is necessary to protect vital interests of the interested party or of
        another natural person;

    e) the treatment is necessary for the fulfillment of a mission carried out in

        public interest or in the exercise of public powers conferred on the person responsible
        of the treatment;

    f) the processing is necessary for the satisfaction of legitimate interests
        guided by the person responsible for the treatment or by a third party, provided that
        said interests do not prevail over the interests or functional rights and freedoms

        data of the interested party that require the protection of personal data, in
        particularly when the interested party is a child.

        The provisions of letter f) of the first paragraph will not apply to the treatment.
        “action carried out by public authorities in the exercise of their functions.”


Therefore, the “data processing” carried out with the object video surveillance camera
claim must be able to be justified on the so-called legitimizing bases, this
is, that the legality of the treatment can be proven in the list of situations or suppositions.
specific positions in which it is possible to process personal data.


In the present case, a video surveillance camera has been installed at the top of the
facade of the chalet owned by the claimed party, the claimant having rented it


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/11








part of the property (the contract has not been provided in the claim), with the right to use
of common areas (terrace and pool) and towards which the device is oriented.


As proof of these statements, the complaining party provided a report
photograph in which the presence of a white video surveillance camera is observed
in the upper part of the façade of the property mentioned, which, due to its height and position, is
focusing towards the areas mentioned above. Thus, the presence of the camera
in question involves the impact on spaces that are no longer “private” to the owner,
to be enjoyed by a third party whose rights must be respected, both

the right to privacy as the right to “protection of personal data”.

Therefore, the “personal and domestic” scope in capturing images of the areas
common (article 22.5 LOPDGDD) disappears when the temporary use and enjoyment of
private housing to a third party, becoming an area reserved for their

strictest personal and family privacy and also protected by the regulations of
data protection, which does not generally allow the collection and processing of
the same.

The right to privacy, remember, consists of guaranteeing the free development of the
individual private life of each one, without “there being interference from third parties”, the pre-

The presence of cameras focusing on shared use areas not only represents a con-
excessive control of the entrances/exits of the resident and/or companions, but
a “data processing” that is not justified in this file.

In this sense, the Constitutional Court affirms in STC 22/1984, that the right to

The inviolability of the home constitutes an authentic fundamental right of the person.
na, established, as we have said, to guarantee the scope of privacy of this
within the space that the person himself chooses and that has to be precisely characterized.
mind by being exempt or immune from foreign invasions or aggressions, from other
persons or public authority.


In this sense-- Contentious-Administrative Ruling No. 2923/2020, Supreme Court
Court of Justice of Catalonia, Contentious Chamber, Section 3, Rec 237/2019 of 02
July 2020--.

"As stated in STC 10/2002, of January 17 (FFJJ 5 and 6), cited by the Fiscal-

cal and by the appellant in amparo, and it has been recalled later in STC 22/2003, of
February 10, the constitutional norm that proclaims the inviolability of the home and the
prohibition of home entry and search (art. 18.2 CE), despite the autonomy
that the Spanish Constitution recognizes both rights, constitutes a manifestation
celebration of the preceding norm (art. 18.1 CE) that guarantees the fundamental right

to personal and family intimacy. So if the right proclaimed in art.
18.1 CE aims to protect a reserved area of people's lives.
excluded from the knowledge of third parties, whether public or private powers,
against their will, the right to home inviolability protects "an area
"determined spatial" given that in it people exercise their most intimate freedom, free

free from all subjection to social uses and conventions, being the object of protection
of this right, both the physical space itself considered, and what in it
there is emanation from the person and their private sphere. Therefore, we have stated that


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/11








The constitutional protection of the domicile is a protection of an instrumental nature,
that defends the areas in which a person's private life takes place.


Among other consequences, such instrumental character determines that the concept constitutes
tutional domicile has greater scope than the private or legal legal concept
administrative domicile and does not admit "reductionist conceptions" (for all
SSTC 94/1999, of May 31, FJ 5, and 10/2002, of January 17, FJ 6 in fine). Thus,
We have stated in legal basis 8 of the aforementioned STC 10/2002 that "the feature
essential that defines the domicile for the purposes of the protection provided by art.

18.2 CE lies in the ability to develop a private life in it and in its specific destiny.
fic to such development even if it is eventual. This means, first of all, that
destination or use constitutes the essential element for the delimitation of spaces
constitutionally protected, so that, in principle, their location is irrelevant.
tion, its physical configuration, its movable or immovable character, the existence or type of ownership.

legal title that enables its use, or, finally, the intensity and periodicity with which
private life develops therein. Second, while cash de-
development of private life is the determining factor of the specific aptitude for the
place in which it takes place is considered domicile, it does not necessarily follow from this
This aptitude cannot be inferred from some of these notes, or from others, in the
to the extent that they represent objective characteristics according to which it is possible

delimit the spaces that, in general, can and usually are used to develop
private life." As well as that "the instrumental nature of constitutional protection
tional of the home with respect to the protection of personal and family privacy requires
that, regardless of the physical configuration of the space, its external signs reflect
ensure the clear will of its owner to exclude said space and the activity carried out therein.

"rollover of knowledge and interference from third parties." From there we extracted the conclusion
consequently, by declaring the unconstitutionality of the provisions of art. 557 of the Law of
criminal prosecution that "hotel rooms can constitute domicile
of its guests, since, in principle, they are ideal places, due to their own characteristics.
ristics, so that the private life of those can develop in them, having

fact that the usual destination of hotel rooms is to carry out activities
generically framed in private life"

(*bold and underlined belongs to this organization).

In the agreement to initiate this sanctioning procedure, the party was charged with

claimed a violation of article 5.1.c) of the RGPD, typified in article 83.5.a)
of the GDPR; considering that capturing images of shared areas
(terrace and pool) gave rise to excessive and disproportionate treatment. Thus
set as an initial assessment an administrative fine of €300 (three hundred euros) and,
as a possible measure, the removal of the device from the current location or regularization of

compliance with current regulations.

However, taking into account the above and as a consequence of the
instruction, it was considered that the legal classification of the known facts should be
different. The lack of legal basis that legitimizes the processing of personal data of the

complaining party (image) violates the provisions of article 6.1 of the RGPD.

                                            IV
           Classification and qualification of the violation of article 6.1 of the RGPD

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/11









In accordance with the evidence available herein
sanctioning procedure, it is considered that the facts presented violate the

established in article 6.1 of the RGPD, which means the commission of an infraction
typified in article 83.5 of the RGPD which, under the heading “General conditions
for the imposition of administrative fines” provides:

“Infringements of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or,

In the case of a company, an amount equivalent to a maximum of 4% of the
global total annual business volume of the previous financial year, opting for
the largest amount:

    a) the basic principles for the treatment, including the conditions for the

       consent under articles 5, 6, 7 and 9; (…)”

For the purposes of the limitation period for infractions, the infraction indicated in the
previous paragraph is considered very serious in accordance with article 72.1 of the LOPDGDD,
which establishes that: “Based on what is established in article 83.5 of the Regulation

(EU) 2016/679 are considered very serious and will expire after three years.
infringements that involve a substantial violation of the aforementioned articles
in that and, in particular, the following:

    b) The processing of personal data without any of the conditions concurring

       of legality of the treatment established in article 6 of the Regulation (EU)
       2016/679; (…)”

                                           V
                  Penalty for violation of article 6.1 of the GDPR


The corrective powers available to the Spanish Agency for the Protection of
Data, as a supervisory authority, is established in article 58.2 of the GDPR. Between
They have the power to impose an administrative fine in accordance with the
article 83 of the RGPD -article 58.2 i)-, or the power to order the person responsible or
processor that the processing operations comply with the

provisions of the GDPR, where applicable, in a certain manner and within a
specified period -article 58.2 d).

According to the provisions of article 83.2 of the GDPR, the measure provided for in article 58.2
d) of the aforementioned Regulation is compatible with the sanction consisting of a fine

administrative.

In the present case, taking into account the facts, it is considered that the sanction that
It would be appropriate to impose an administrative fine. The fine imposed must
be, in each individual case, effective, proportionate and dissuasive, in accordance with the

article 83.1 of the GDPR. In order to determine the administrative fine to be imposed,
to observe the provisions of article 83.2 of the RGPD, which indicates:

"2. Administrative fines will be imposed, depending on the circumstances of each
individual case, as an additional or substitute for the measures contemplated in the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/11








Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:


a) the nature, severity and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation in question, as well as
such as the number of interested parties affected and the level of damages that
have suffered;

b) intentionality or negligence in the infringement;


c) any measure taken by the person responsible or in charge of the treatment to
alleviate the damages and losses suffered by the interested parties;

d) the degree of responsibility of the person responsible or in charge of the treatment,

taking into account the technical or organizational measures that have been applied under
of articles 25 and 32;

e) any previous infringement committed by the controller or processor;

f) the degree of cooperation with the supervisory authority in order to remedy the

infringement and mitigate the possible adverse effects of the infringement;

g) the categories of personal data affected by the infringement;

h) the way in which the supervisory authority became aware of the infringement, in

particular whether the controller or processor notified the infringement and, if so, in what
extent;

i) when the measures indicated in Article 58, paragraph 2, have been ordered
previously against the person responsible or the person in charge in question in relation to the

same matter, compliance with said measures;

j) adherence to codes of conduct under Article 40 or to mechanisms of
certification approved in accordance with article 42,

k) any other aggravating or mitigating factor applicable to the circumstances of the case,

such as financial benefits obtained or losses avoided, direct or
indirectly, through infringement.”

For its part, in relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in
its article 76, “Sanctions and corrective measures”, provides:


"1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation
(EU) 2016/679 will be applied taking into account the graduation criteria
established in section 2 of the aforementioned article.


2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
may also be taken into account:

a) The continuous nature of the infringement.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/11









b) The linking of the offender's activity with the performance of medical treatments.

personal information.

c) The benefits obtained as a consequence of the commission of the infraction.

d) The possibility that the conduct of the affected person could have included the commission

of the infringement.

e) The existence of a merger by absorption process subsequent to the commission of the
infringement, which cannot be attributed to the absorbing entity


f) The impact on the rights of minors

g) Have, when not mandatory, a data protection delegate.

h) The submission by the person responsible or in charge, on a voluntary basis, to

alternative conflict resolution mechanisms, in those cases in which
"There are disputes between those and any interested party."

These are aggravating circumstances:


    - The nature, severity and duration of the infraction (art. 83.2.a RGPD), given
        realize that, as has already been noted, the home is inviolable, and the
        installation of video cameras implies a significant attack on the privacy of
        the people who live therein.


The balance of the circumstances listed above allows setting a fine of
€5,000 (five thousand euros) for committing the violation of article 6.1 of the RGPD.

                                            SAW
                                  Adoption of measures


Pursuant to the provisions of article 58.2 d) of the GDPR, the party is ordered
claimed that, within a period of ten business days from the date on which this resolution
is notified, proves that the camera has been removed from its current location.


Therefore, in accordance with the applicable legislation and evaluated the criteria of
graduation of sanctions whose existence has been proven,

the Director of the Spanish Data Protection Agency RESOLVES:


FIRST: IMPOSE B.B.B., with NIF ***NIF.1, for a violation of article 6.1
of the RGPD, typified in article 83.5.a) of the RGPD, a fine of €5,000 (five thousand
euros).

SECOND: NOTIFY this resolution to B.B.B..





C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/11








THIRD: ORDER to B.B.B., with NIF ***NIF.1, which by virtue of article 58.2.d)
of the RGPD, within a period of ten business days from the date on which this resolution
is notified, proves that it has proceeded to remove the camera from the current location.

FOURTH: Warn the sanctioned person that he must make the sanction imposed effective

once this resolution is executive, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by entering it, indicating the NIF of the sanctioned person and the number

of procedure that appears in the heading of this document, in the account
restricted IBAN number: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code:
CAIXESBBXXX), opened on behalf of the Spanish Data Protection Agency in
the banking entity CAIXABANK, S.A.. Otherwise, it will be
collection in executive period.


Once the notification is received and once enforceable, if the enforceable date is
between the 1st and 15th of each month, both inclusive, the deadline to make the payment
voluntary will be until the 20th of the following month or immediately following business month, and if
The payment period is between the 16th and last day of each month, both inclusive.
It will be until the 5th of the second following or immediately following business month.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the

Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Data Protection Agency within a period of one month to
count from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the

Contentious-administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.

Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the

interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through
of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registries provided for in art. 16.4 of the

cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/11













                                                                                                          938-010623

Sea Spain Martí
Director of the Spanish Data Protection Agency







































































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es