AEPD (Spain) - EXP202211618
From GDPRhub
| AEPD - EXP202211618 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 6(1) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 29.04.2022 |
| Decided: | 14.07.2023 |
| Published: | |
| Fine: | 10000 EUR |
| Parties: | NANDIVALE, S.L. Data subject |
| National Case Number/Name: | EXP202211618 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | n/a |
The Spanish DPA fined a company €10,000 for recording and publishing images of minors on its social media without having the consent of their parents.
English Summary
Facts
The data subject was a 4 year old minor, who attended a birthday party at one of the establishments of the controller, Nandivale. The controller posted images showing the faces of children present at the party in the stories of its Instagram profile.
After seeing the stories, the mother of the data sent an Instagram message to the controller, asking it to delete the image. However, the controller did not comply with the request and she filed a complaint with the Spanish DPA, claiming that she never gave her consent for the publication of her child's image.
Holding
The DPA stressed that the physical image of a person must be considered as personal data under Article 4(1) GDPR, and thus, it requires a legal ground to be processed. The DPA also emphasized that, in addition to consent, there are other possible bases that legitimize the processing of data without the need for the authorization of the data subject. For instance, when it is necessary for the performance of a contract or for the satisfaction of legitimate interests pursued by the data controller or by a third party.
In the present case, the DPA noted that the controller did not inform data subjects about the processing of personal data that it carried out, neither before nor after it took place. In other words, there was no information about the recording of images in parties organized at the controller's venur and their publication on its social media profile. The controller also did not inform if it relied on consent of the parents, in the case of minors under 14 years of age, or the consent of minors, over 14 years of age, differentiating this circumstance. Therefore,the DPA concluded that there was no accredited basis for the processing of minors' personal data and issued a fine of €10,000 for the violation of Article 6(1) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
11/1
File No.: EXP202211618
RESOLUTION OF SANCTIONING PROCEDURE
Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following
BACKGROUND
FIRST: Ms. A.A.A. (hereinafter the claimant) on 10/23/2022 filed
claim before the Catalan Data Protection Authority and on 10/26/2022 the
Said Authority notified the Spanish Agency for Data Protection on
10/26/2022 for being competent to hear the matter. The claim is directed
against NANDIVALE, S.L. with NIF B66070012 (hereinafter the claimed). The motives
on which the claim is based are the following: the claimant mother of a 4-year-old girl
years old that on 08/07/2022 attended a birthday party organized at the
place of the claimed; points out that, without the consent of the parents of the children
attendees, images of the celebration were taken in which the minors appeared,
and they were published on the Instagram profile ***PERFIL.1 as a "story". The claimant,
being aware of the publication of the images in which her daughter appeared,
contacted the author of the publication through the messaging service
provided by the service provider, in order to request that the
publication or covering the face of minors; states that he received no response and
that the publication was available 24 hours for which, by default, they are
configured the "stories" of Instagram.
Along with the notification, a publication with images of the minors is provided.
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
forward LOPDGDD), said claim was transferred to the claimed party, for
to proceed with its analysis and inform this Agency within a month of the
actions carried out to adapt to the requirements established in the regulations of
Data Protection.
The transfer, which was carried out in accordance with the norms established in the Law
39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations (hereinafter, LPACAP), was collected on 11/03/2022
as stated in the acknowledgment of receipt in the file.
The defendant responded on 01/03/2023 stating in summary: that it is
of an entity dedicated to events and leisure activities as well as the organization of
child parties; that the claim presented requested the deletion of the video and the
It was withdrawn 24 hours after its publication, since the withdrawal request
It was made through a friend request from the Instagram profile and not from the channel
planned for it, therefore, it was not until after said hours that they had
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/11
knowledge of said request; that you have been aware of the error that this
situation; that measures have been intensified to prevent these
situations requiring consent and created a protocol to avoid
incidences; that the disciplinary procedure be filed or that the
warning; secondarily, it is considered a minor infraction.
On 01/05/2023, it provided the document Risk Analysis in the Treatment of
Personal information.
THIRD: On 01/09/2023, in accordance with article 65 of the LOPDGDD,
The claim presented by the complaining party was admitted for processing.
FOURTH: On 04/29/2022, the Director of the Spanish Protection Agency
of Data agreed to initiate a sanctioning procedure against the defendant, for the alleged
violation of articles 32.1 and 5.1.f) of the GDPR, typified in article 83.4.a) and
83.5.a) of the GDPR, with warning. Receipt by the claimant of the
agreement to start the file.
FIFTH: Once the initiation agreement has been notified, the claimant has elapsed the term
established, I do not present a written statement of allegations, so the following is applicable.
indicated in article 64 of Law 39/2015, of October 1, on the Procedure
Common Administrative Law of Public Administrations, which in its section f)
establishes that in the event of not making allegations within the period established on the
content of the initiation agreement, it may be considered a proposal for
resolution when it contains a precise pronouncement about the responsibility
accused, for which reason a Resolution is issued.
SEVENTH: Of the actions carried out in this procedure, have been
the following accredited:
PROVEN FACTS
FIRST: The claimant, on 10/23/2022 filed a claim with the Authority
Catalan Data Protection Agency and on 10/26/2022 the aforementioned Authority notified the
Spanish Agency for Data Protection as it is competent to know about the
affair. The claimant stated that she is the mother of a minor and that on 08/07/2022
attended a birthday party organized at the premises of the defendant; notes that,
without the express consent of the parents of the attending children, the
images of the celebration in which the minors appeared, later
published on the Instagram profile ***PERFIL.1 as a "story"; due
therefore contacted the author of the publication through the messaging service
provided by the service provider, in order to request that the
publication or the face of minors will be pixelated, without receiving a response while the
Publication available 24 hours, which are the ones that are configured by default.
Instagram stories.
SECOND: It has provided screenshots of the Instagram account
***PROFILE.1 containing address, telephone number, logo and web address where the
can see different photographs of minors and parents in the celebration of
a children's party
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/11
THIRD: There are screenshots of the children's party (4 photographs)
and the following messages from the mother of the minor sent to the account of
***ACCOUNT.1:
“Hello, I am one of the mothers who attended the birthday today. I have not given
consent to upload images where my daughter appears. We haven't even given
consent to the recording of images, and to upload them you should have covered
the faces of the minors. So please either cover his face by raising the
videos or delete the stories where it is clearly identified. It is the girl of the
right to the most visible. Thank you".
Hello, I have written to you before.
“I will hit you again what I have written before.
Hello, I am one of the mothers who had a birthday today. I have not given
consent to upload images where my daughter appears. We haven't even given
consent to the recording of images, and to upload them you should have covered
the faces of the minors. So please either cover his face by raising the
videos or delete the stories where it is clearly identified. It is the girl of the
right to the most visible. Thank you. Maybe it is the first time that you meet before
this situation but capturing images of minors and uploading them to networks is typified
as a crime with fines of up to 300,000 euros. I do not want images of my daughter in
Internet".
FOURTH: The defendant in writing of 01/31/2023 has stated "That he has always
It has been the will of "XXXXXXXX" to process the personal data entrusted to it with the
maximum guarantees, and has been aware of the error that this situation implies, and has
proceeded to rectify this situation in such a way that it adapts to the demands that
marks the data protection regulations and, consequently, to be able to deal with the
greater guarantees the data of the people who trust them, as it has always been
his intentions.
FIFTH: The defendant has provided on 01/05/2023 Risk Analysis in the
Treatment of Personal Data of Nanvidale, S.L. and later the
01/31/2023 the Video Surveillance Zone Announcement Poster in accordance with the GDPR and
Form for Information and Consent for data processing
Customer personal. Likewise, the Policy of
privacy of the defendant.
FUNDAMENTALS OF LAW
Yo
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter GDPR), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/11
Likewise, article 63.2 of the LOPDGDD determines that: "The
procedures processed by the Spanish Data Protection Agency will be governed
by the provisions of Regulation (EU) 2016/679, in this organic law, for the
regulatory provisions dictated in its development and, as soon as they are not
contradict, on a subsidiary basis, by the general rules on the
administrative procedures."
II
Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations, in its article 64 "Initiation agreement in the
procedures of a sanctioning nature”, provides:
"1. The initiation agreement will be communicated to the instructor of the procedure, with
transfer of any actions that exist in this regard, and the interested parties will be notified,
Understanding in any case as such the accused.
Likewise, the initiation will be communicated to the complainant when the rules
regulators of the procedure so provide.
2. The initiation agreement must contain at least:
a) Identification of the person or persons allegedly responsible.
b) The facts that motivate the initiation of the procedure, its possible
rating and sanctions that may correspond, without prejudice to what
results from the instruction.
c) Identification of the instructor and, where appropriate, Secretary of the procedure, with
express indication of the recusal regime of the same.
d) Competent body for the resolution of the procedure and norm that
attributes such jurisdiction, indicating the possibility that the alleged
responsible can voluntarily acknowledge his responsibility, with the
effects provided for in article 85.
e) Measures of a provisional nature that have been agreed by the body
competent to initiate the disciplinary procedure, without prejudice to those that
may be adopted during the same in accordance with article 56.
f) Indication of the right to make allegations and to the hearing in the
procedure and the deadlines for its exercise, as well as an indication that, in
In the event of not making allegations within the established term on the content of the
initiation agreement, this may be considered a resolution proposal
when it contains a precise pronouncement about the responsibility
accused.
3. Exceptionally, when at the time of issuing the initiation agreement
there are not enough elements for the initial qualification of the facts that motivate
the initiation of the procedure, said qualification may be carried out in one phase
through the preparation of a Statement of Objections, which must be notified to
the interested".
In application of the previous precept and taking into account that no
made allegations to the initiation agreement, it is appropriate to resolve the procedure initiated.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/11
II
The denounced facts materialize in the taking of images of the event in the
containing minors and their publication on the Instagram profile ***PERFIL.1
as a "story", without the consent of their parents being accredited.
Article 58 of the GDPR, Powers, states:
"2. Each supervisory authority shall have all the following powers
corrections listed below:
(…)
i) impose an administrative fine in accordance with article 83, in addition to or in
instead of the measures mentioned in this paragraph, according to the
circumstances of each particular case;
(…)”
It should be noted that the physical image of a person, according to article 4.1
of the GDPR, it is personal data and its protection, therefore, is the subject of said
Regulation. Article 4.2 of the GDPR defines the concept of "processing" of
personal information.
It is therefore necessary to analyze whether the processing of personal data (image
of natural persons) carried out through recording and broadcasting, in which
minors appear, in social networks is in accordance with the provisions of the GDPR.
Article 6, Legality of the treatment, of the GDPR in its section 1, establishes
that:
"1. Processing will only be lawful if at least one of the following is fulfilled
conditions:
a) the interested party gave his consent for the processing of his data
personal for one or more specific purposes;
b) the processing is necessary for the performance of a contract in which the
interested party or for the application at the request of this of measures
pre-contractual;
c) the processing is necessary for compliance with a legal obligation
applicable to the data controller;
d) the processing is necessary to protect vital interests of the data subject or
of another physical person;
e) the treatment is necessary for the fulfillment of a mission carried out in
public interest or in the exercise of public powers conferred on the person responsible
of the treatment;
f) the processing is necessary for the satisfaction of legitimate interests
pursued by the data controller or by a third party, provided that
such interests are not overridden by the interests or the rights and freedoms
of the interested party that require the protection of personal data,
in particular when the interested party is a child.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/11
The provisions of letter f) of the first paragraph shall not apply to the
treatment carried out by public authorities in the exercise of their functions”.
And article 4 of the GDPR, Definitions, in its sections 1, 2 and 11, states that:
“1) “personal data” means any information about an identified natural person
or identifiable ("the data subject"); Any identifiable natural person shall be considered
person whose identity can be determined, directly or indirectly, in particular
by means of an identifier, such as a name, an identification number,
location data, an online identifier or one or more elements of the
physical, physiological, genetic, psychological, economic, cultural or social identity of said
person;
"2) "processing": any operation or set of operations carried out
on personal data or sets of personal data, either by procedures
automated or not, such as the collection, registration, organization, structuring,
conservation, adaptation or modification, extraction, consultation, use,
communication by transmission, diffusion or any other form of authorization of
access, collation or interconnection, limitation, deletion or destruction;
"11) "consent of the interested party": any manifestation of free will,
specific, informed and unequivocal for which the interested party accepts, either through
a statement or a clear affirmative action, the processing of personal data that
concern him."
On the other hand, article 92 of the LOPDGDD, Data Protection of
minors on the Internet, points out that:
"Educational centers and any physical or legal persons who
develop activities in which minors participate will guarantee the
protection of the best interests of the minor and their fundamental rights,
especially the right to the protection of personal data, in the publication or
dissemination of your personal data through services of the society of the
information.
When said publication or diffusion were to take place through services of
social networks or equivalent services must have the consent of the
minor or their legal representatives, in accordance with the provisions of article 7 of this
organic Law".
IV.
It should be noted that data processing requires the existence of a database
law that legitimizes it.
In accordance with article 6.1 of the GDPR, in addition to consent,
There are other possible bases that legitimize the processing of data without the need for
have the authorization of its owner, in particular, when necessary for the
execution of a contract in which the affected party is a party or for the application, upon request
of this, of pre-contractual measures, or when necessary for the satisfaction of
legitimate interests pursued by the controller or by a third party,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/11
provided that such interests do not prevail over the interests or rights and
fundamental freedoms of the data subject that require the protection of such data. He
treatment is also considered lawful when necessary for the fulfillment of
a legal obligation applicable to the data controller, to protect interests
of the data subject or of another natural person or for the fulfillment of a mission
carried out in the public interest or in the exercise of public powers vested in the
responsible for the treatment.
In the present case, the defendant in relation to the processing of personal data
personal character, neither before nor after the infringement, nor in
its Privacy Policy or in the Risk Analysis provides for the treatment carried out
cabo: disseminate or publish images of the celebrations on social networks.
On the other hand, regarding the publication of images, it is not specified
where it is provided (web page of the defendant, social networks, etc.) and as soon as
to the consent that they transfer in their response, nothing indicates about this treatment
specifically, if you collect parental consent in the case of children under 14
years or the consent to minors, over 14 years of age, differentiating this
circumstance of age (Neither does it appear in the case of adults if it is collected
their consent for the publication of their images, etc.).
Therefore, in the case examined, there is no accredited basis of legitimacy
any for the treatment of data of minors.
V
The infringement attributed to the defendant is typified in the
Article 83.5 a) of the GDPR, which considers that the infringement of "the basic principles
for processing, including the conditions for consent under the terms of the
Articles 5, 6, 7 and 9" is punishable, in accordance with section 5 of the aforementioned
Article 83 of the aforementioned Regulation, "with administrative fines of €20,000,000 as
maximum or, in the case of a company, of an amount equivalent to 4% as
maximum of the overall annual total turnover of the previous financial year,
opting for the one with the highest amount”.
The LOPDGDD in its article 71, Violations, states that: "They constitute
offenses the acts and behaviors referred to in sections 4, 5 and 6 of the
Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the
present organic law”.
And in its article 72, it considers for the purposes of prescription, which are: "Infractions
considered very serious:
1. Based on what is established in article 83.5 of the Regulation (EU)
2016/679 are considered very serious and the infractions that
suppose a substantial violation of the articles mentioned in that and, in
particular, the following:
(…)
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/11
b) The processing of personal data without the concurrence of any of the
conditions of legality of the treatment established in article 6 of the
Regulation (EU) 2016/679.
(…)”
SAW
In order to establish the administrative fine that should be imposed, the
observe the provisions contained in articles 83.1 and 83.2 of the GDPR, which
point out:
"1. Each control authority will guarantee that the imposition of fines
administrative proceedings under this article for violations of this
Regulations indicated in sections 4, 5 and 6 are in each individual case
effective, proportionate and dissuasive.
2. Administrative fines will be imposed, depending on the circumstances
of each individual case, as an addition to or substitute for the measures contemplated
in article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administration and its amount in each individual case shall be duly taken into account:
a) the nature, seriousness and duration of the offence, taking into account the
nature, scope or purpose of the processing operation in question
as well as the number of stakeholders affected and the level of damage and
damages they have suffered;
b) intentionality or negligence in the infringement;
c) any measure taken by the controller or processor
to alleviate the damages and losses suffered by the interested parties;
d) the degree of responsibility of the controller or the person in charge of the
processing, taking into account the technical or organizational measures that have
applied under articles 25 and 32;
e) any previous infringement committed by the person in charge or in charge of the
treatment;
f) the degree of cooperation with the supervisory authority in order to put
remedy the breach and mitigate the potential adverse effects of the breach;
g) the categories of personal data affected by the infringement;
h) the way in which the supervisory authority became aware of the infringement, in
particularly if the person in charge or the person in charge notified the infringement and, in such a case,
what extent;
i) when the measures indicated in article 58, paragraph 2, have been
previously ordered against the person in charge or in charge in question
in relation to the same matter, compliance with said measures;
j) adherence to codes of conduct under article 40 or to mechanisms
of certification approved in accordance with article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the
case, such as the financial benefits obtained or the losses avoided, direct
or indirectly, through the infringement.
In relation to letter k) of article 83.2 of the GDPR, the LOPDGDD, in its
Article 76, "Sanctions and corrective measures", establishes that:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/11
"2. In accordance with the provisions of article 83.2.k) of the Regulation (EU)
2016/679 may also be taken into account:
a) The continuing nature of the offence.
b) Linking the activity of the offender with the performance of processing
of personal data.
c) The benefits obtained as a consequence of the commission of the infraction.
d) The possibility that the conduct of the affected party could have led to the
commission of the offence.
e) The existence of a merger process by absorption after the commission
of the infringement, which cannot be attributed to the absorbing entity.
f) The affectation of the rights of minors.
g) Have, when it is not mandatory, a data protection delegate
data.
h) The submission by the person in charge or in charge, with character
voluntary, alternative conflict resolution mechanisms, in those
cases in which there are controversies between them and any
interested."
- In accordance with the precepts transcribed, for the purpose of setting the amount of the
sanction for the infringement typified in article 83.5.a) and article 6.1 of the GDPR of the
that the defendant is held responsible, the following factors are considered concurrent
as aggravating circumstances:
The categories of personal data affected by the infringement;
We must not forget that we are facing the infringement of a fundamental right
aggravated by the category of data processed, since the image that is disseminated is of
minors (article 83.2.g) of the GDPR).
The intentionality or negligence in the infraction. Connected this circumstance
with the degree of diligence that the data controller is obliged to
deploy in compliance with the obligations imposed by the regulations of
Data Protection; the SAN of 10/17/2007 can be cited, which although it was issued before
of the validity of the GDPR, its pronouncement can be perfectly extrapolated to the
Of course we analyze The ruling, after alluding to the fact that the entities in which
that the development of its activity involves continuous processing of customer data
and third parties must observe an adequate level of diligence, specified that "(...) the
The Supreme Court has understood that there is imprudence whenever
disregards a legal duty of care, that is, when the offender does not behave
with the due diligence” (article 83.2, b) of the GDPR).
Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of sanctions whose existence has been accredited,
The Director of the Spanish Data Protection Agency RESOLVES:
FIRST: IMPOSE NANDIVALE, S.L., with NIF B66070012, for a violation of the
Article 6.1 of the GDPR, typified in Article 83.5.a) of the GDPR, a fine of 10,000
€ (ten thousand euros).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/11
SECOND: NOTIFY this resolution to NANDIVALE, S.L.
Warn the penalized person that they must make the imposed sanction effective once the
This resolution is enforceable, in accordance with the provisions of art. 98.1.b)
of Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (hereinafter LPACAP), within the voluntary payment term
established in art. 68 of the General Collection Regulations, approved by Royal
Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17
December, by means of its income, indicating the NIF of the sanctioned and the number of
procedure that appears in the heading of this document, in the account
restricted IBAN number: ES00 0000 0000 0000 0000 0000 (BIC/SWIFT Code:
XXXXXXXXXXXX), opened on behalf of the Spanish Agency for Data Protection in
the banking entity CAIXABANK, S.A. Otherwise, it will proceed to its
collection in executive period.
Once the notification has been received and once executed, if the execution date is
between the 1st and 15th of each month, both inclusive, the deadline for making the
voluntary payment will be until the 20th day of the following or immediately following business month, and if
is between the 16th and the last day of each month, both inclusive, the term of the
Payment will be until the 5th of the second following or immediate business month.
In accordance with the provisions of article 50 of the LOPDGDD, the
This Resolution will be made public once the interested parties have been notified.
Against this resolution, which puts an end to the administrative process in accordance with art.
48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the
LPACAP, interested parties may optionally file an appeal for reversal
before the Director of the Spanish Data Protection Agency within a period of one
month from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.
Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the
LPACAP, the firm resolution may be temporarily suspended in administrative proceedings
If the interested party expresses his intention to file a contentious appeal-
administrative. If this is the case, the interested party must formally communicate this
made by writing to the Spanish Agency for Data Protection,
presenting it through the Electronic Registry of the Agency
[https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other
records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. Also
must transfer to the Agency the documentation that proves the effective filing
of the contentious-administrative appeal. If the Agency were not aware of the
filing of the contentious-administrative appeal within a period of two months from the
day following the notification of this resolution, would terminate the
injunction suspension
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/11
Mar Spain Marti
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
