AEPD (Spain) - EXP202207521

From GDPRhub
AEPD - EXP202207521
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Started: 27.05.2022
Decided:
Published:
Fine: 20,000 EUR
Parties: n/a
National Case Number/Name: EXP202207521
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Bernardo Armentano

The Spanish DPA fined a media company €20,000 for posting a photo taken from the data subject's private Instagram profile and posting it on a blog along with her name and age, violating Article 6(1) GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

A journalist posted a photo of another journalist, the data subject, on the blog “Diario de Cadiz”, along with her name and age. This photo had been posted by the data subject on her private Instagram profile, which can only be accessed by previously authorized persons.

Upon becoming aware of the fact, the data subject filed a complaint with the Spanish DPA, claiming that the publication of the photo without consent violated Article 6 GDPR. The DPA opened an investigation and notified Joly Digital, S.L.U, the controller, to clarify what happened.

While informing that it had removed the photo from the blog, the controller argued that it was not personal data as it only showed the legs of a woman. Moreover, the controller claimed that the data subject did not prove that those were her legs. The controller also claimed to have acted in the exercise of its freedom of expression with the purpose of criticizing her for trivializing the profession of journalist. Nonetheless, the controller admitted that a third party took the photo from her private Instagram profile and sent it to the journalist who publish it on the blog.

Holding[edit | edit source]

The DPA stated that the image of a person constitutes personal data within the meaning of Article 4(1) GDPR and highlighted that, in the present case, the data subject was identified not only by the photo, but also by the name and age.

The DPA assesed the evidence and concluded that the picture was indeed of the data subject's legs. The DPA noted that even the controller admitted that the photo was taken from her Instagram profile and used to criticize her, praising her “taconazos” (high heels) as a frivolous conduct in relation to journalism and a prize awarded.

Morevover, the DPA clarified that the object of the procedure was not the exercise of the right to freedom of expression, but the unauthorized publication and diffusion of the screenshot from the data subject's private Instagram profile, consisting of a photo and a text on which her name, surname and age were shown without any legitimate purpose.

Fore the above reasons, the DPA found a violation of Article 6(1) GDPR and imposed a fine of €20,000 on the controller.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/17










     File No.: EXP202207521



               RESOLUTION OF SANCTIONING PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following


                                  BACKGROUND

FIRST: D. A.A.A., in the name and representation of D. ª B.B.B. (hereinafter, the
complaining party), on May 27, 2022, filed a claim with the

Spanish Data Protection Agency. The claim is directed against JOLY
DIGITAL, S.L.U., with NIF B11514445 (hereinafter, the claimed party). The motives
on which the claim is based are the following:

On ***DATE.1, a journalist published in the blog that he has inserted in the
Diario de Cádiz, a personal photo of the claimant, of his private sphere and

belonging to his private account of the social network Instagram. manifest that bliss
private Instagram account has always been and is closed to the public, so
everyone who wants to access it and see its images and photographs has to
send you a friend request that the complaining party must accept expressly and
previously, said journalist not being among those accepted to access

your images and photos.

The dissemination of images made through the aforementioned blog, without consent
any and belonging to the (private) social network of the represented company, is located in the
following URL:


***URL.1

Considers that the public dissemination of personal and private images by the
claimed, constitute a manifest violation of the provisions of article 6 of the
General Data Protection Regulation (RGPD 2016/679), since it does not have

none of the legitimation bases established in section 1 of the aforementioned
article.

Along with the claim, a document is attached (...) of the image published in the
mentioned blog and that, at the date of the presentation of the claim, it was still

published.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and Guarantee of Digital Rights
(hereinafter LOPDGDD), said claim was transferred to the claimed party,

to proceed with its analysis and inform this Agency within a month,
of the actions carried out to adapt to the requirements established in the
data protection regulations.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/17








The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of
October 1, of the Common Administrative Procedure of the Administrations
Public (hereinafter, LPACAP) by electronic notification, was not collected by

the person in charge, within the period of availability, understood as rejected
in accordance with the provisions of art. 43.2 of the LPACAP, dated July 22, 2022,
as stated in the certificate that is in the file.

The transfer was sent by certified postal mail, being received on the 25th
July 2022.


On August 24, 2022, this Agency received a written response
indicating that the facts are reduced to the fact that the journalist published a photo in which
the legs of a woman appeared, published by the claimant in her account on
Instagram on the occasion of (…), praising their “high heels”. Photo they sent to

journalist, since he does not have an Instagram account, and that he published under the text (...),
criticizing what he understood to be frivolous conduct in relation to journalism and
prize awarded.

Consider that the image that is reproduced does not correspond to a person
identified or identifiable and therefore it is not personal data and that in the comment that

accompanies the photograph, the name of the party is not mentioned at any time
claimant and that this claim is framed in a controversy of overtones
personal, removed from any legal basis or legal basis.

THIRD: On September 9, 2022, in accordance with article 65 of the

LOPDGDD, the admission for processing of the claim presented by the
complaining party.

FOURTH: On January 26, 2023, the Director of the Spanish Agency for
Data Protection agreed to initiate disciplinary proceedings against the claimed party,

in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1,
of the Common Administrative Procedure of Public Administrations (in
hereafter, LPACAP), for the alleged infringement of article 6.1 of the GDPR, typified in
Article 83.5 of the GDPR.

The startup agreement was sent, in accordance with the rules established in the Law

39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations (hereinafter, LPACAP), by means of electronic notification,
although it was not collected by the person in charge, within the period of making it available,
being understood rejected in accordance with the provisions of art. 43.2 of the LPACAP, in
dated February 9, 2023, as stated in the certificate in the file.


However, the initiation agreement was forwarded, upon request, to the representative of
the entity under power of attorney, in accordance with the regulations established in the Law
39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations (hereinafter, LPACAP), by means of electronic notification,

being received on February 1, 2023, as stated in the certificate that works
on the record.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/17








FIFTH: Notified of the aforementioned start-up agreement in accordance with the rules established in
Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (hereinafter, LPACAP), the claimed party submitted a written

of allegations in which, in summary, he provides a dossier on the professional profile of the
complaining party in one of the most important social and professional applications
such as the social network LinkedIn, various articles and press clippings taken from
Spanish newspapers highlighting the reference to the complaining party as well as a copy
of the agreement to start the disciplinary procedure.


SIXTH: On March 8, 2023, a resolution proposal was formulated,
proposing:

<<That the Director of the Spanish Data Protection Agency sanctions
JOLY DIGITAL, S.L.U., with NIF B11514445,


-for a violation of article 6.1 of the GDPR, typified in article 83.5 of the GDPR,
with an administrative fine of 20,000.00 euros.

- JOLY DIGITAL, S.L.U., with NIF B11514445, is ordered that by virtue of article
58.2.d) of the GDPR, within a period of 1 month, accredit having proceeded to comply with

the necessary corrective measures to adapt its performance to the regulations of
protection of personal data, which prevent events from being repeated in the future
similar.>>

The aforementioned resolution proposal was sent, in accordance with the rules established in

Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (hereinafter, LPACAP), by means of electronic notification,
Although it was not collected by the person in charge, within the period of making it available,
being understood rejected in accordance with the provisions of art. 43.2 of the LPACAP, in
dated March 23, 2023, as stated in the certificate in the file.


However, the proposed resolution was forwarded, upon request, to the
representative of the entity under power of attorney, in accordance with the established regulations
in Law 39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations (hereinafter, LPACAP), by means of electronic notification,
being received on March 16, 2023, as stated in the certificate that works

on the record.

SEVENTH: On March 31, 2023, the claimed party submitted a written
allegations to the Resolution Proposal, in which, in summary, puts into question
knowledge of the AEPD that, in compliance with the requirement contained in the

motion for a resolution, has proceeded to eliminate the screenshot of the
Instagram social network object of this procedure.

Likewise, it shows its disagreement with the incorrect processing of the file
that has generated a serious defenselessness since there is no evidence in

relation to the photograph object of this procedure. It denies not only that its object
are the complainant's legs, but rather denies that the photograph was
made by her and does not come from an image bank. For this reason, it reiterates that the
Absence of proof in the indicated sense causes him a serious defenselessness.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/17









Secondly, it states that the publication that is the subject of this file has not been
made in the digital newspaper Diario de Cádiz, but in an opinion blog hosted on

said address, but autonomous and independent in terms of its content with respect to the
aforementioned digital newspaper. In it, its author exercises his right to freedom of expression.
An example of this is the publication in question.

In this sense, it understands that as article 4 of the GDPR defines personal data
as “any information about an identified or identifiable natural person”,

Opinions such as the one published would be excluded from the scope of protection.

Regarding the prevalence of the right to freedom of expression over the right to
protection of personal data, considers that, in order to carry out a
correct weighting of the rights in conflict, it must be previously analyzed the

context and concurrent circumstances in which the capture of
screen and that in this case there is no processing of personal data
but rather an exercise of the right to freedom of expression by a
journalist when commenting on another journalist with public notoriety on the occasion of a
news event: (…).


He therefore considers that the publication of the photograph on the blog constitutes a
legitimate exercise of their fundamental right to freedom of expression whenever the
publication has been carried out in exercise of a prevailing fundamental right, the
Mr. C.C.C. He does not have access to Instagram so he can hardly be the author of the
blamed conduct, that is, downloading from Instagram a photograph published by the

complainant for subsequent disclosure (to Mr. C.C.C. a third party has sent
directly that screenshot) and the conduct of Mr. C.C.C. consists in
censor the trivialization of journalism as a profession, as well as of journalism itself
recognition that supposes the awarded prize. And that opinion cannot be expressed
without publishing the photograph that had been sent to him.


It also adds that for an image to be considered personal data, the image itself
The image must contain features that make it unquestionably identifiable. And in
In this case, from the publication made, the most that could be concluded is that it has been
Posted by Mrs. B.B.B..


Finally, regarding the classification of the sanction and fixing the amount, it shows
manifest that the notified sanction proposal is absolutely disproportionate
and requests that it be agreed to declare the non-existence of infringement and proceed to file
of these proceedings.


In view of all the proceedings, by the Spanish Agency for Data Protection
In this proceeding, the following are considered proven facts:

                                PROVEN FACTS

FIRST: It is on record that on May 27, 2022, the claimant filed

claim before the Spanish Agency for Data Protection, having published
in the Diario de Cádiz, a personal photo of his private sphere and belonging to his
private account of the social network Instagram.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/17









SECOND: It is on record that on ***DATE.1, Mr. C.C.C. published on the website:


***URL.1

an article that under the title: "(...)", reproduced a screenshot of the social network
Instagram of the complaining party. Said screenshot consisted of the dissemination of
the denounced image accompanied by the following text: “(…).”


THIRD: It is on record that the claimed party, in its brief of March 31, 2023,
informs that it has proceeded to eliminate "the screenshot of the social network of
Instagram object of this procedure.”

                           FUNDAMENTALS OF LAW


                                            Yo
                                      Competence

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter GDPR), grants each

control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, Protection of Personal Data and
Guarantee of Digital Rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.


Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with character

subsidiary, by the general rules on administrative procedures."

                                            II
                                   previous questions

The facts claimed materialize in the publication, without legitimacy or

consent, of a screenshot belonging to the private account of the network
social Instagram of the claimant, consisting of a photo of the claimant, on the web
***URL.1, under the following text: "(...)", which could imply a violation of the
regulations on data protection.


It is, therefore, pertinent to analyze whether the processing of personal data carried out through
through the reported publication is in accordance with the provisions of the GDPR.

The physical image of a person, according to article 4.1 of the GDPR, is data
personnel and their protection, therefore, is the object of said Regulation, understanding by

personal data: "all information about an identified natural person or
identifiable”.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/17








An identifiable natural person is considered to be one whose identity can be determined,
directly or indirectly, in particular by means of an identifier, such as a
name, an identification number, location data, an online identifier or

one or several elements proper to physical, physiological, genetic, psychological,
economic, cultural or social of said person.

In the specific case under review, the image published together with the name, surname
and age of the person to whom it has been attributed, constitute a data set of
personal nature within the meaning of article 4.1 of the GDPR, and, therefore, data

related to an identified or identifiable natural person.

Likewise, treatment must be understood as “any operation or set of operations
tions made on personal data or sets of personal data, either by
automated procedures or not, such as the collection, registration, organization, structure

ration, conservation, adaptation or modification, extraction, consultation, use, co-
communication by transmission, diffusion or any other form of access authorization,
collation or interconnection, limitation, suppression or destruction”.


Taking the above into account, Joly Digital, S.L.U., is an Andalusian publishing group that
for the edition of newspapers and magazines it treats personal data.

It carries out this activity in its capacity as data controller, since it is
who determines the purposes and means of such activity, by virtue of article 4.7 of the GDPR:

"responsible for the treatment" or "responsible": the natural or legal person, authority
public authority, service or other body that, alone or jointly with others, determines the purposes and

means of treatment; if the law of the Union or of the Member States determines
determines the purposes and means of the treatment, the person in charge of the treatment or the criteria
Specific reasons for their appointment may be established by the Law of the Union or of the
Member states.

The General Data Protection Regulation, in its article 4.11, defines the
consent of the interested party as "any manifestation of free, specific,
informed and unequivocal by which the interested party accepts, either through a
declaration or a clear affirmative action, the processing of personal data that

concern”.

In this sense, article 6.1 of Organic Law 3/2018, of December 5, of
Protection of Personal Data and Guarantee of Digital Rights, establishes that
"In accordance with the provisions of Article 4.11 of Regulation (EU) 2016/679,

The consent of the affected party is understood to be any manifestation of free will,
specific, informed and unequivocal for which he accepts, either through a
declaration or a clear affirmative action, the processing of personal data that
concern”.
                                            II

                       Allegations Adduced to the Initiation Agreement

In response to the allegations presented by the respondent entity, it should be noted
the next:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/17








Opinion 4/2007, on the concept of personal data, adopted on 06/20 by the
Working group 29, of Directive 95/46, analyzes in depth the concept of
personal data, indicating the reference: "they are all information about a person

identified or identifiable physical person, being considered identifiable any person whose
identity can be determined directly or indirectly, in particular by means of a
identification number or one or more specific elements characteristic of your
physical, physiological, psychic, economic, cultural or social identity”. A person
is considered directly identified through the name and surname and is more
individualized, when, in addition, there is another identifier, for example, your photograph,

through which you can get more information about that person.

The diffusion of images made through the aforementioned blog, together with the name,
surname and age of the person to whom it has been attributed, without any consent and
belonging to the claimant's (private) social network, located at URL: ***URL.1,

constitutes data processing.

The claimed party intends to criticize and express the opinion that the facet deserves
professional of the complaining party and for this purpose it uses personal data of the complaining party
claimant listed in the URL of his domain, disclosing the information to the public.
To this end, it even publishes without any consent and belonging to the social network

(private) of the claimant, her image along with her name, surname and age.

In relation to the use of photographic content, it is worth mentioning STS 363/2017,
of February 15, in which the following is indicated:


"... that, in the account opened in a social network on the Internet, the owner of the profile has
“uploaded” a photograph of yourself that is accessible to the general public, you do not authorize a
third party to reproduce it in a communication medium without the consent of the owner
because such action cannot be considered a natural consequence of the character
accessible data and images of a public profile on a social network on the Internet.

The purpose of an account opened in a social network on the Internet is the communication of
its owner with third parties and the possibility that these third parties may have access to the
content of that account and interact with its owner, but not that the
image of the owner of that account in a media outlet.

[…] The consent of the owner of the image for the general public, or a

certain number of people, can see your photo in a blog or in an account
opened on the website of a social network does not imply authorization to make use of that
photograph and publish or disseminate it in a different way”.

Although said Judgment refers to images accessible to the general public, in

specifically to the image captured from the Facebook profile that the interested party himself gave to
know on social networks, in the specific case of this file, the claimant
had the image posted on the private part of his Instagram.

The documentation in the file shows that the claimed party violated
article 6.1 of the GDPR, when disseminating the image of the claimant,
accompanied by your name, surname and age, without any legitimizing cause such as

it could be consent or authorization on social media.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/17








Therefore, this Agency, after having verified that the claimed party has published
and spread a screenshot belonging to the private account of the social network
Instagram of the claimant, consisting of a photo of the claimant, and a text in the

containing his name, surname and age, concludes, in accordance with the
indicated legal reasoning, that data processing has been carried out without
legitimation, since the party claimed otherwise has not been proven, and therefore
therefore it is considered that it has incurred in a violation of article 6 of the GDPR.

Article 6, Lawfulness of the treatment, of the GDPR establishes:


       "1. Processing will only be lawful if at least one of the following is fulfilled
conditions:

       a) the interested party gave his consent for the processing of his data

       personal for one or more specific purposes;
       b) the processing is necessary for the performance of a contract in which the
       interested party or for the application at the request of this of measures
       pre-contractual;
       c) the processing is necessary for compliance with a legal obligation
       applicable to the data controller;

       d) the processing is necessary to protect vital interests of the data subject or
       of another physical person;
       e) the treatment is necessary for the fulfillment of a mission carried out in
       public interest or in the exercise of public powers conferred on the person responsible
       of the treatment;

       f) the processing is necessary for the satisfaction of legitimate interests
       pursued by the data controller or by a third party, provided that
       such interests are not overridden by the interests or the rights and freedoms
       of the interested party that require the protection of personal data,
       in particular when the interested party is a child.

       The provisions of letter f) of the first paragraph shall not apply to the
       processing carried out by public authorities in the exercise of their
       functions.

       (…)”.


Also article 6, Treatment based on the consent of the affected party, of the
new Organic Law 3/2018, of December 5, Protection of Personal Data and
guarantee of digital rights (hereinafter LOPDGDD), states that:

       "1. In accordance with the provisions of article 4.11 of Regulation (EU)

2016/679, the consent of the affected party is understood as any expression of will
free, specific, informed and unequivocal for which he accepts, either through a
declaration or a clear affirmative action, the processing of personal data that
concern.


       2. When it is intended to base the processing of data on consent
of the affected person for a plurality of purposes, it will be necessary for it to be clearly
specific and unequivocal that said consent is granted for all of them.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/17








       3. The execution of the contract may not be made subject to the fact that the affected party consents to the
processing of personal data for purposes unrelated to the
maintenance, development or control of the contractual relationship”.


On this question of the legality of the treatment, Recital 40 also affects
of the aforementioned GDPR, when it provides that:

 "For processing to be lawful, personal data must be processed with the
consent of the interested party or on some other legitimate basis established in accordance

a Law, either in this Regulation or under other Union law
or of the Member States referred to in this Regulation, including the
the need to comply with the legal obligation applicable to the data controller or the
need to execute a contract to which the interested party is a party or in order to
take measures at the request of the interested party prior to the conclusion of a

contract."

There is no record, however, that the aforementioned processing of personal data was carried out
carried out by the claimed party under the protection of a legal basis that legitimizes it.

Consequently, the allegations must be dismissed, meaning that the

arguments presented do not distort the essential content of the offense that
is declared committed nor does it imply sufficient justification or exculpation.

                                           IV.
                  Allegations Adduced to the Resolution Proposal

In response to the allegations presented by the respondent entity to the Proposal
Resolution, the following should be noted:


The defendant alleges that there is no evidence in relation to the photograph
subject of this procedure. It denies not only that its object is the legs of the
complainant, but denies that the photograph was taken by her and does not proceed
from an image bank. For this reason, it reiterates that the absence of evidence in the sense

pointed out, causes him serious defenselessness.

The joint assessment of the documentary evidence in the procedure brings to
knowledge of the AEPD, a vision of the denounced action that has been
reflected in the facts declared proven above reported. However, about the

allegations presented by the claimed entity, it must be indicated that, as
stated in the previous proceedings, the AEPD required the requested party to provide information
related to the incident, confirming what was stated in the claim document,
when stating the claimed party that the journalist published a photo in which they appeared
the legs of a woman, published by the claimant on her Instagram account with
occasion of (...), praising their "heels". Photo they sent to the journalist, given that

he does not have an Instagram account, and that he published under the text (…), criticizing what he
understood frivolous conduct in relation to journalism and the prize awarded.

Likewise, in the allegations now presented it is clear that a third party sent Mr.
C.C.C. that screenshot. Therefore, this Agency, after having verified that the

Respondent party has published and disseminated a screenshot belonging to the
private account of the claimant's Instagram social network, consisting of a photo of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/17








the claimant, and a text that includes her name, surname and age, concludes that
has carried out data processing without legitimacy, since it has not been accredited
by the party claimed the contrary, and therefore it is considered that it has incurred in a

infringement of article 6 of the GDPR.

Secondly, it states that the publication that is the subject of this file has not been
made in the digital newspaper Diario de Cádiz, but in an opinion blog hosted on
said address, but autonomous and independent in terms of its content with respect to the
aforementioned digital newspaper. In it, its author exercises his right to freedom of expression.

An example of this is the publication in question.

In this sense, it understands that as article 4 of the GDPR defines personal data
as “any information about an identified or identifiable natural person”,
Opinions such as the one published would be excluded from the scope of protection.


Well, in the present case, the claimed party is responsible for the
data processing now analyzed since as defined in article 4.7 of the
GDPR, is the entity that determines the purpose and means of processing
made.


In the specific case under review, the screenshot belonging to the account
of the claimant's Instagram social network, consisting of a photo of the re-
claimant, and a text in which his name, surname and age appear, constitute data of
personal nature within the meaning of article 4.1 of the GDPR, and, therefore, data related to
two with an identified or identifiable natural person.


In this regard, it should be made clear that the purpose of this proceeding
sanction is not the exercise of the right to freedom of expression by a
journalist when commenting on another journalist with public notoriety on the occasion of a
news event, but the publication and dissemination of the screenshot belonging to

the claimant's private Instagram social network account, consisting of a photo
of the claimant, and a text that includes her name, surname and age, without cause
some legitimizing

It should be taken into account that the data protection regulations do not carry out a
distinction between public and private data, allowing without further ado, the use of data that the
concerned has been made public, but generally grants protection to
personal data, determining those cases in which said treatment

turns out to be consistent with it.
The Constitutional Court comes to establish the right to data protection as
autonomous fundamental right. By virtue of this fundamental right, the citizen,

In general, you can decide on your own data.

In this sense, the jurisprudential doctrine of the Court must be taken into consideration.
Constitutional Law on this matter, which configures the right to data protection as
an autonomous fundamental right, differentiated from the fundamental right to
privacy. It thus states in its Judgment 292/2000, the following:


       Thus, the object of protection of the fundamental right to protection
of data is not reduced only to the intimate data of the person, but to any type of
personal data, whether intimate or not, whose knowledge or use by third parties may
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/17








affect their rights, whether fundamental or not, because their object is not only the
individual privacy, which for this is the protection that art. 18.1 CE grants, but
personal data. Therefore, it also reaches those data
public personal, that, by the fact of being, of being accessible to the knowledge of
anyone, do not escape the power of disposition of the affected party because this is guaranteed by his

right to data protection. Also for this reason, the fact that the data is of a
does not mean that only those related to private or intimate life have protection
of the person, but the covered data are all those that identify or
allow the identification of the person, being able to serve for the preparation of their profile
ideological, racial, sexual, economic or of any other nature, or that serve to
any other utility that in certain circumstances constitutes a threat

for the individual.”

The aforementioned Judgment 292/2000 also determines the content of the right to
protection of personal data indicating in its legal basis 7:


       “From all that has been said, it results that the content of the fundamental right to
Data protection consists of a power of disposal and control over the data
personal information that empowers the person to decide which of those data to provide to
a third party, be it the State or an individual, or which can be collected by this third party, and that
it also allows the individual to know who owns that personal data and for what,
being able to oppose that possession or use. These powers of disposition and control

on personal data, which constitute part of the content of the right
fundamental to data protection are legally specified in the power to
consent to the collection, obtaining and access to personal data, its subsequent
storage and treatment, as well as its use or possible uses, by a third party, be it the
state or an individual. And that right to consent to knowledge and treatment,
computerized or not, of personal data, requires as complements

essential, on the one hand, the ability to know at all times who has
these personal data and to what use you are submitting them, and, on the other hand, the power
oppose that possession and uses.

       In short, they are characteristic elements of the constitutional definition of law
fundamental to the protection of personal data the rights of the affected to consent

about the collection and use of your personal data and to know about them. and they turn out
essential to make this content effective the recognition of the right to be
informed of who owns your personal data and for what purpose, and the right to be able
oppose that possession and use by requiring whoever it corresponds to put an end to the
possession and use of data. That is, demanding from the owner of the file that
inform of what data you have about your person, accessing your appropriate records and

seats, and what destination they have had, which also reaches possible assignees; and,
where appropriate, require him to rectify or cancel them."

Focusing on the imputation of which the present procedure brings
disciplinary action should indicate that the circumstance that causes the opening of the

procedure is none other than the publication, in a media blog,
of a screenshot belonging to the private account of the social network Instagram
of the claimant, consisting of a photo of the claimant, and a text containing
your name, surname and age. Circumstance that is not equivalent to an authorization to
that third parties can use it freely, so that the treatment of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/17








image, along with the name, surname and age of the claimant, without their consent
prior and express, implies the violation of article 6 of the GDPR.


Lastly, as regards the allegation regarding the classification of the sanction and fixing of the
amount, article 83.5 of the GDPR establishes that the infringement of article 6 of the GDPR
may be sanctioned “with administrative fines of 20,000,000 EUR maximum
or, in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the one with the highest amount”, for which reason an important reduction of this is already applied.


The STS, Chamber 3, of December 16, 2003 (Rec. 4996/98) already indicated that the
principle of proportionality of sanctions requires that "the discretion that is
granted to the Administration for the application of the sanction to be carried out weighing
in any case the concurrent circumstances, in order to achieve the due

proportionality between the facts charged and the responsibility demanded". Principle of
proportionality that is not understood to be violated, considering the proportionality
sanction proposed to the entity, for the facts proven and weighted the
concurrent circumstances, which are detailed below.

Likewise, it manifests the lack of proportionality in comparison with the content of
other resolutions issued by the AEPD as a consequence of the alleged infringement

of article 6 of the GDPR.

Specifically, they outline the sanction imposed in a disciplinary proceeding of the
AEPD to a football club that had published a video of a
minor without consent, in which a moment of the match played was shown
to show their disagreement with the arbitral decision. In the above case, even
when a data subject to special protection was processed, such as

that of the image of a minor, the AEPD agreed to establish a penalty of 5,000 euros.

Well, the GDPR expressly provides for the possibility of graduation, through the
provision of fines subject to modulation, in response to a series of
circumstances of each individual case. And the recently approved Guide to Fines
by the European Committee for Data Protection proposes, in the determination of point

starting point for calculating the fine, evaluate on the one hand the seriousness of the infringement
according to the circumstances of the case and on the other, the volume of business of the company.

These circumstances have been taken into account when setting the penalty. consists
known that the respondent is an entity that manages a large volume of
personal data in the exercise of its powers. This circumstance determines a
greater degree of demand and professionalism and, consequently, responsibility

of the entity in relation to the processing of personal data.

Consequently, the allegations must be dismissed, meaning that the
arguments presented do not distort the essential content of the offense that
is declared committed nor does it imply sufficient justification or exculpation.

                                           V

                                 Article 6.1 of the GDPR
The documentation in the file offers clear indications that the party

claimed has published and disseminated, without legitimacy or consent, a capture of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/17








screen belonging to the private account of the claimant's Instagram social network,
consisting of a photo of the claimant, and a text in which her name appears,
surnames and age.


The defendant considers that the image reproduced does not correspond to a
identified or identifiable person and therefore it is not personal data and that in the
comment that accompanies the photograph, there is no mention of the
name of the complaining party and that this claim is part of a
controversy of personal overtones, far from any legal basis or legal basis.


In this sense, the Spanish Data Protection Agency must mention
two judgments, one issued by the Supreme Court- STS 91/2017, of February 15 -
and another by the Constitutional Court - STC 27/2020, of February 24-, in which
affirms that a photograph in a social network is not equivalent to an authorization for

third parties can freely use it, so that the treatment of the image
of the claimant without their prior and express consent, implies the violation of the
Article 6 of the GDPR.

The TS, in judgment 91/2017, of February 15, declares that "That, in the open account
on a social network on the Internet, the owner of the profile has "uploaded" a photograph of himself that

is accessible to the general public, does not authorize a third party to reproduce it in a me-
gave communication without the consent of the owner, because such action cannot
considered a natural consequence of the accessible nature of the data and images
in a public profile of a social network on the Internet. The purpose of an account opened in
a social network on the Internet is the communication of its owner with third parties and the possibility

from those third parties being able to access the content of that account and interact
with its owner, but not that the image of the account holder can be published in a
media. [...]”

For its part, the TC in its ruling 27/2020, of February 24, indicates that "The fact of

The fact that private data circulates through social networks on the Internet does not mean that it is private.
has become public, since the digital environment is not comparable to the concept
the "public place" referred to in Organic Law 1/1982, nor can it be affirmed that the
citizens of the digital society have lost or renounced their rights protected
two in art. 18 CE.”


This TC doctrine is included in the STS of July 28, 2022, which also recalls
given that the European Court of Human Rights has highlighted with respect to these
new methods and techniques for obtaining information, that it is necessary to monitor
reinforced lance of the protection of private life in the face of new technologies,
that enable the storage and reproduction of personal data, as well as

such as, in particular, the systematic taking of specific photos and their dissemination to the public
(CtHR of June 24, 2004, Von Hannover v. Germany, § 70)

Consequently, it is considered that the accredited facts are constitutive of
infringement, attributable to the claimed party, for violation of article 6.1 of the GDPR.

                                            SAW

                 Classification of the infringement of article 6.1 of the GDPR


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/17








The aforementioned infringement of article 6.1 of the GDPR supposes the commission of the infringements
typified in article 83.5 of the GDPR that under the heading "General conditions
for the imposition of administrative fines” provides:

Violations of the following provisions will be sanctioned, in accordance with the

paragraph 2, with administrative fines of maximum EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:


       a) the basic principles for the treatment, including the conditions for the
       consent under articles 5, 6, 7 and 9; (…)”

In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that
"The acts and behaviors referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result

contrary to this organic law”.

For the purposes of the limitation period, article 72 "Infractions considered very
serious” of the LOPDGDD indicates:


"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
are considered very serious and will prescribe after three years the infractions that
a substantial violation of the articles mentioned therein and, in particular, the
following:


       a) The processing of personal data without the concurrence of any of the
           conditions of legality of the treatment established in article 6 of the
           Regulation (EU) 2016/679.

                                           VII
                                        Sanction


In order to determine the administrative fine to be imposed, the
provisions of articles 83.1 and 83.2 of the GDPR, precepts that state:

"1. Each control authority will guarantee that the imposition of fines

administrative proceedings under this article for violations of this
Regulations indicated in sections 4, 5 and 6 are in each individual case
effective, proportionate and dissuasive.

2. Administrative fines will be imposed, depending on the circumstances of each

individual case, in addition to or in lieu of the measures contemplated in
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administration and its amount in each individual case shall be duly taken into account:

a) the nature, seriousness and duration of the offence, taking into account the nature
nature, scope or purpose of the processing operation in question, as well as the number

number of interested parties affected and the level of damages they have suffered;
b) intentionality or negligence in the infringement;
c) any measure taken by the person in charge or in charge of the treatment to
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/17








settle the damages suffered by the interested parties;
d) the degree of responsibility of the person in charge or of the person in charge of the treatment, habi-
gives an account of the technical or organizational measures that have been applied by virtue of the

articles 25 and 32;
e) any previous infringement committed by the controller or processor;
f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the potential adverse effects of the infringement;
g) the categories of personal data affected by the infringement;
h) the way in which the supervisory authority became aware of the infringement, in particular

determine whether the controller or processor notified the infringement and, if so, to what extent
gives; i) when the measures indicated in article 58, paragraph 2, have been ordered
given previously against the person in charge or the person in charge in relation to
the same matter, compliance with said measures;
j) adherence to codes of conduct under article 40 or to certification mechanisms.

fications approved in accordance with article 42,
k) any other aggravating or mitigating factor applicable to the circumstances of the case,
as the financial benefits obtained or the losses avoided, directly or indirectly.
mind, through infraction.”

For its part, article 76 "Sanctions and corrective measures" of the LOPDGDD

has:

"1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation
(UE) 2016/679 will be applied taking into account the graduation criteria
established in section 2 of said article.


2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
may also be taken into account:

        a) The continuing nature of the offence.

        b) Linking the activity of the offender with the performance of processing
        of personal data.
        c) The benefits obtained as a consequence of the commission of the infraction.
        d) The possibility that the conduct of the affected party could have led to the
        commission of the offence.
        e) The existence of a merger process by absorption after the commission

        of the infringement, which cannot be attributed to the absorbing entity.
        f) The affectation of the rights of minors.
        g) Have, when it is not mandatory, a data protection delegate
data.
        h) The submission by the person in charge or in charge, with character

        voluntary, alternative conflict resolution mechanisms, in those
        cases in which there are controversies between them and any
        interested."

Penalty for violation of article 6.1 of the GDPR.


In accordance with the precepts transcribed, for the purpose of setting the amount of the penalty for
infringement of article 6.1 of the GDPR, it is appropriate to graduate the fine taking into account the
following graduation criteria:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/17









As an aggravating circumstance:


Article 83.2.a) GDPR: the nature, seriousness and duration of the infringement, taking
into account the nature, scope or purpose of the processing operation to be
concerned, as well as the number of interested parties affected and the level of damages
who have suffered:

The treatment carried out by the claimant has been carried out through a page

web with great visibility so its diffusion is greater.

Regarding the duration of the infringement, the AEPD verified that, up to the date of the
presentation of the claim, it was possible to access the screenshot
belonging to the private account of the claimant's Instagram social network,

consisting of a photo of the claimant, and a text in which her name appears,
surnames and age on the web page ***URL.1., allowing unauthorized access to
said data by third parties.

Article 83.2 g) GDPR: the categories of personal data affected by
the infringement: image of the claimant.


Article 76.2 b) LOPDGDD: "The link between the offender's activity and the performance of
tion of personal data processing”. The activity of the claimed entity requires
continuous processing of personal data. Likewise, the entity claims
da carries out for the development of its activity, a high volume of data processing.
personal coughs.


Considering the exposed factors, the valuation that reaches the amount of the fine
is €20,000 for violation of article 6.1 of the GDPR.

Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of sanctions whose existence has been accredited, the Director of the

Spanish Data Protection Agency RESOLVES:

FIRST: IMPOSE JOLY DIGITAL, S.L.U., with NIF B11514445, for a
violation of article 6.1 of the GDPR, typified in article 83.5 of the GDPR, a fine
of 20,000.00 euros.


SECOND: NOTIFY this resolution to JOLY DIGITAL, S.L.U.

THIRD: Warn the penalized person that they must make the imposed sanction effective
Once this resolution is enforceable, in accordance with the provisions of Article

art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), within the payment term
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by means of its income, indicating the NIF of the sanctioned and the number
of procedure that appears in the heading of this document, in the account

restricted IBAN number: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code:
CAIXESBBXXX), opened on behalf of the Spanish Data Protection Agency in

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/17








the banking entity CAIXABANK, S.A. Otherwise, it will proceed to its
collection in executive period.


Once the notification has been received and once executed, if the execution date is
between the 1st and 15th of each month, both inclusive, the term to make the payment
voluntary will be until the 20th day of the following or immediately following business month, and if
between the 16th and the last day of each month, both inclusive, the payment term

It will be until the 5th of the second following or immediately following business month.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once the interested parties have been notified.


Against this resolution, which puts an end to the administrative process in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reversal before the
Director of the Spanish Agency for Data Protection within a period of one month from
count from the day following the notification of this resolution or directly

contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the

referred Law.

Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the firm resolution in administrative proceedings if the
The interested party expresses his intention to file a contentious-administrative appeal.

If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registries provided for in art. 16.4 of the
aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the

documentation proving the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative proceedings within a period of two months from the day following the
Notification of this resolution would terminate the precautionary suspension.
                                                                                938-010623
Mar Spain Marti
Director of the Spanish Data Protection Agency















C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es