AEPD (Spain) - EXP202210525

From GDPRhub
AEPD - PS/00559/2022
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Started: 02.09.2022
Decided: 12.07.2023
Published: 12.07.2023
Fine: 10,000 EUR
Parties: n/a
National Case Number/Name: PS/00559/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Mgrd

The Spanish DPA fined a security guard €10,000 for capturing images from the video surveillance system of a correctional facility and disseminating them via WhatsApp, in violation of Article 6 GDPR.

English Summary


The controller was a security guard hired by a private company providing video surveillance services to a prison in Madrid. The guard used his mobile phone to capture images of a visitor from the video surveillance system and sent these images via WhatsApp to other colleagues. In September 2022, the prison's security department filed a complaint against the controller for possible GDPR violations.


The Spanish DPA highlighted that the physical image of a person is personal data within the meaning of Article 4(1) GDPR. Therefore, their processing is subject to data protection regulations. The DPA concluded that capturing the images of a person from the prison's video surveillance system and disseminating them via WhatsApp violates the provisions of Article 6 GDPR. For this reason, the DPA fined the controller €10,000.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

 File No.: EXP202210525
Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following
FIRST: On September 2, 2022, the DTO. SEC. PC. NAVALCARNERO
(MADRID-IV) (hereinafter, the claimant) filed a claim with the Agency
Spanish Data Protection.
The claim is directed against A.A.A. with NIF ***NIF.1 (hereinafter, the part
claimed), for the installation of a video surveillance system located in CENTRO
MADRID IV-NAVALCARNERO PENITENTIARY, there being indications of a possible
breach of the provisions of articles 42.5 and 58.1 c) of Law 5/2014, of 04
of April, of Private security, related to video surveillance services in the field
of private security.
The reasons for the claim are the following:
The claimant provides the Complaint Act dated August 24, 2022 in which the
shows that the claimed part is destined by your company,
TRABLISA MULTISERVICIOS, at the Madrid IV Penitentiary Center in Navalcarnero,
as a security guard and that he captured images of the
video surveillance system of the Penitentiary Center, in which a visitor appeared
of the Center, to send these images via WhatsApp to other colleagues.
The documents provided are:
-Reports made by the FFCCSE
-Image dumped in the WhatsApp chat of Trablisa guards in Madrid-IV
(Navalcarnero) reflected in annex II of the record / complaint and request to start
procedure number ***PROCEDURE.1 for violation of the regulations of
private security dated August 24, 2022.
SECOND: On October 7, 2022 in accordance with article 65 of the
LOPDGDD, the claim presented by the claimant party was admitted for processing.
THIRD: On December 21, 2022, the Director of the Spanish Agency
of Data Protection agreed to initiate disciplinary proceedings against the claimed party,
for the alleged infringement of article 6 of the GDPR, typified in article 83.5 of the
FOURTH: On January 16, 2023, the aforementioned start agreement was notified
in accordance with the rules established in Law 39/2015, of October 1, of
C/ Jorge Juan, 6
28001 – Madrid
Common Administrative Procedure of Public Administrations (hereinafter,
LPACAP), being carried out by means of publication in the edictal notice board in accordance with the
Article 44 of said legal text, upon returning the notification made by post
by unknown address, and after the term granted for the formulation of
allegations, it has been verified that no allegation has been received by the party
In response to this Agency's request, on March 8, 2023, the AEAT provided
the tax address of the defendant, therefore, on March 24, 2023, he was notified with
success of the proposed resolution and a period of TEN DAYS is granted for them to
can allege whatever it deems appropriate in its defense and present the documents and
information that it deems pertinent, in accordance with article 89.2 of the
LPACAP, however, and despite verifying the receipt of said proposal for
resolution, no claim has been made in this regard by the
In view of all the proceedings, by the Spanish Agency for Data Protection
In this proceeding, the following are considered proven facts:
FIRST: The defendant, a security guard at a prison, captured
with your mobile phone, images from the Center's video surveillance system
Penitentiary, in which a visitor to the Center appeared, and these images were
sent via WhatsApp to other colleagues.
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter GDPR), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with character
subsidiary, by the general rules on administrative procedures."
The physical image of a person, according to article 4.1 of the GDPR, is data
personnel and their protection, therefore, is the subject of said Regulation. In article 4.2
of the GDPR defines the concept of "processing" of personal data.
C/ Jorge Juan, 6
28001 – Madrid
The images generated by a system of cameras or camcorders are data of
personal nature, so its treatment is subject to the protection regulations
of data.
It is, therefore, pertinent to analyze whether the processing of personal data (image of the
natural persons) carried out through the denounced video surveillance system is
in accordance with the provisions of the GDPR.
Law 5/2014, of April 4, on private security, in its article 42.5 establishes what
“The monitoring, recording, processing and recording of images and sounds by
of video surveillance systems will be subject to the provisions of the regulations in
matter of protection of personal data, and especially to the principles
of proportionality, suitability and minimal intervention”
Said normative text in its article 58.1 c, considers as a very serious infraction:
c) The lack of confidentiality regarding the facts that they know in the exercise of their duties.
functions or the use of material or technical means in such a way that they violate
against the right to honor, to personal or family privacy, to one's own image or to
secrecy of communications when they do not constitute a crime.
Article 6.1 of the GDPR establishes the assumptions that allow the use of
processing of personal data indicating the following:
"1. Processing will only be lawful if at least one of the following is fulfilled
a) the interested party gave his consent for the processing of his personal data
for one or more specific purposes;
b) the treatment is necessary for the execution of a contract in which the interested party
is part of or for the application at the request of the latter of pre-contractual measures;
c) the processing is necessary for compliance with a legal obligation applicable to the
responsible for the treatment;
d) the processing is necessary to protect vital interests of the data subject or of another
Physical person; e) the processing is necessary for the fulfillment of a mission
carried out in the public interest or in the exercise of public powers vested in the
responsible for the treatment;
f) the treatment is necessary for the satisfaction of legitimate interests pursued
by the person in charge of the treatment or by a third party, provided that on said
interests do not outweigh the interests or fundamental rights and freedoms of the
interested party that require the protection of personal data, in particular when the
interested is a child. The provisions of letter f) of the first paragraph shall not apply.
C/ Jorge Juan, 6
28001 – Madrid
application to processing carried out by public authorities in the exercise of their
Regarding treatment for video surveillance purposes, article 22 of the LOPDGDD
establishes that natural or legal persons, public or private, may carry out
carry out the treatment of images through systems of cameras or video cameras
in order to preserve the safety of people and property, as well as their
Instruction No. 4/2022, of July 28, 2022, of the General Secretariat of
Penitentiary Institutions by which the treatment of personal data is regulated
personnel obtained by recording images and sounds by the systems of
existing video surveillance in the different penitentiary establishments, explains what
"Organic Law 3/2018, of December 5, on the protection of personal data and
guarantee of digital rights (hereinafter LO 3/2018); and Organic Law 7/2021, of
May 26, protection of personal data processed for prevention purposes,
detection, investigation and prosecution of criminal offenses and enforcement of
criminal sanctions (hereinafter LO 7/2021), establish different legal regimes
of protection and action that must be regulated”.
In addition, said instruction clarifies that "on the one hand, regarding the treatment of data
obtained through video surveillance that do not affect persons deprived of liberty
and that are not directly related to criminal execution, which will be
provided for in Regulation (EU) 2016/679 of the European Parliament and of the Council, of
April 27, 2016, regarding the protection of natural persons with regard to
to the processing of your personal data and to the free circulation of these data (in
hereafter GDPR) - repealing Directive 95/46/CE (RGPD) - and the provisions
in article 22 of Organic Law 3/2018, of December 5.
On the other hand, regarding the detailed legal regime for the recordings of the
persons deprived of liberty, which will be in accordance with the provisions of Organic Law 7/2021 and
to the recommendations made by the Ombudsman for the specific
penitentiary area”.
It is considered that the facts exposed, that is, capturing the images with a mobile phone
of the Center's video surveillance system, in which a visitor to the Center appeared,
to spread them by WhatsApp to other colleagues, violate what is established in the
article 6 of the RGPD, for which reason it could suppose the commission of a typified infraction
in article 83.5 of the GDPR, which provides the following:
Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of maximum EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
C/ Jorge Juan, 6
28001 – Madrid
total annual global business volume of the previous financial year, opting for
the highest amount:
a) the basic principles for the treatment, including the conditions for the
consent under articles 5, 6, 7 and 9;
For the purposes of the limitation period for infringements, the infringement indicated in the
previous paragraph is considered very serious in accordance with article 72.1 of the LOPDGDD,
which states that:
"Based on what is established in article 83.5 of Regulation (EU) 2016/679,
are considered very serious and will prescribe after three years the infractions that
a substantial violation of the articles mentioned therein and, in particular, the
b) The processing of personal data without the fulfillment of any of the conditions of
legality of the treatment established in article 6 of Regulation (EU) 2016/679.
In order to determine the administrative fine to be imposed, the
provisions of articles 83.1 and 83.2 of the GDPR, precepts that state:
"Each control authority will guarantee that the imposition of administrative fines
under this Article for infringements of this Regulation
indicated in sections 4, 9 and 6 are effective in each individual case,
proportionate and dissuasive.”
"Administrative fines will be imposed, depending on the circumstances of each
individual case, in addition to or in lieu of the measures contemplated in
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administration and its amount in each individual case shall be duly taken into account:
a) the nature, seriousness and duration of the offence, taking into account the
nature, scope or purpose of the processing operation in question
such as the number of interested parties affected and the level of damages that
have suffered;
b) intentionality or negligence in the infringement;
c) any measure taken by the controller or processor to mitigate
the damages and losses suffered by the interested parties;
d) the degree of responsibility of the controller or processor,
taking into account the technical or organizational measures that they have applied under
of articles 25 and 32;
e) any previous infringement committed by the controller or processor;
f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the potential adverse effects of the infringement;
g) the categories of personal data affected by the infringement;
C/ Jorge Juan, 6
28001 – Madrid
h) the way in which the supervisory authority became aware of the infringement, in
particular whether the person in charge or the person in charge notified the infringement and, if so, in what
i) when the measures indicated in article 58, paragraph 2, have been ordered
previously against the person in charge or the person in charge in relation to the
same matter, compliance with said measures;
j) adherence to codes of conduct under article 40 or to mechanisms of
certification approved in accordance with article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, directly or
indirectly, through the infringement.”
Regarding section k) of article 83.2 of the GDPR, the LOPDGDD, article 76,
"Sanctions and corrective measures", provides:
"2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
may also be taken into account:
a) The continuing nature of the offence.
b) The link between the activity of the offender and the performance of data processing.
personal information.
c) The benefits obtained as a consequence of the commission of the infraction.
d) The possibility that the conduct of the affected party could have led to the commission
of the offence.
e) The existence of a merger by absorption process subsequent to the commission of the
violation, which cannot be attributed to the absorbing entity.
f) The affectation of the rights of minors.
g) Have, when it is not mandatory, a data protection delegate.
h) Submission by the person responsible or in charge, on a voluntary basis, to
alternative conflict resolution mechanisms, in those cases in which
there are controversies between those and any interested party.”
In accordance with the precepts transcribed, for the purpose of setting the amount of the sanction of
fine to be imposed in the present case on the entity claimed as responsible for a
offense typified in article 83.5.b) of the GDPR, in an initial assessment,
The following aggravating factors are considered concurrent:
o Seriousness of the facts, since the defendant took advantage of his condition
security guard and access to images to capture and disseminate them
o Intentionality in the action, since such actions are not their own
of their professional work.
C/ Jorge Juan, 6
28001 – Madrid
It is appropriate to graduate the sanction to be imposed on the defendant and set it at the amount of 10,000
€ in accordance with article 58.2 of the GDPR
The text of the resolution establishes which have been the infractions committed and
the facts that have given rise to the violation of the regulations for the protection of
data, from which it is clearly inferred what are the measures to adopt, without prejudice
that the type of procedures, mechanisms or concrete instruments for
implement them corresponds to the sanctioned party, since it is responsible for the
treatment who fully knows its organization and has to decide, based on the
proactive responsibility and risk approach, how to comply with the GDPR and the
In view of the foregoing, the following is issued
Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of sanctions whose existence has been accredited,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: IMPOSE A.A.A., with NIF ***NIF.1, for a violation of article 6 of the
GDPR, typified in article 83.5 of the GDPR, a fine of €10,000 (ten thousand euros).
SECOND: NOTIFY this resolution to A.A.A..
THIRD: Warn the penalized person that they must make the imposed sanction effective
Once this resolution is enforceable, in accordance with the provisions of Article
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by means of its income, indicating the NIF of the sanctioned and the number
of procedure that appears in the heading of this document, in the account
restricted IBAN number: ES00 0000 0000 0000 0000 0000 (BIC/SWIFT Code:
XXXXXXXXXXXX), opened on behalf of the Spanish Agency for Data Protection in
the banking entity CAIXABANK, S.A. Otherwise, it will proceed to its
collection in executive period.
Once the notification has been received and once executed, if the execution date is
between the 1st and 15th of each month, both inclusive, the term to make the payment
voluntary will be until the 20th day of the following or immediately following business month, and if
between the 16th and the last day of each month, both inclusive, the payment term
It will be until the 5th of the second following or immediately following business month.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once the interested parties have been notified.
Against this resolution, which puts an end to the administrative process in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reversal before the
C/ Jorge Juan, 6
28001 – Madrid
Director of the Spanish Agency for Data Protection within a period of one month from
count from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.
Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the firm resolution in administrative proceedings if the
The interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through
of the Electronic Registry of the Agency [],
or through any of the other records provided for in art. 16.4 of the
aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the
documentation proving the effective filing of the contentious-administrative appeal.
If the Agency was not aware of the filing of the appeal
contentious-administrative proceedings within a period of two months from the day following the
Notification of this resolution would terminate the precautionary suspension.
Mar Spain Marti
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6
28001 – Madrid