AEPD (Spain) - PS-00066-2022
|AEPD - PS-00066-2022|
|Relevant Law:||Article 4(11) GDPR|
Article 6 GDPR
Article 6(1) LOPDGDD
|Parties:||SOPHIE ET VOILA, S.L|
|National Case Number/Name:||PS-00066-2022|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
The Spanish DPA concluded that a controller violated Article 6 GDPR after publishing a photo on Instagram without a valid legal basis. The DPA imposed a €10,000 fine on the controller.
English Summary[edit | edit source]
Facts[edit | edit source]
On 24 September 2021, the complainant turned to the Spanish DPA alleging a violation of the right to protection of personal data as a result of a wedding dress company (the controller) posting a photograph of the complainant without their consent on Instagram. The photo included a man with a woman in a wedding dress designed by the controller company.
Following an initial complaint, the controller removed the picture within an hour of posting and re-uploaded it after covering the face of the complainant with a black circle. Eventually, the controller removed the photo permanently upon having received payment for the dress.
On 14 January 2022, the controller submitted to the Spanish DPA a claim that the complainant was not identifiable anymore in the photograph in question, hence the photograph did not contain personal data within the meaning of Article 4(1) GDPR. Moreover, the controller pointed out that Instagram offers the possibility to report a picture posted by a third party, which the complainant never made use of.
Finally, the controller claimed that the complainant gave their consent to the publishing of the photograph by reposting it on their own account. They also alleged to have legitimate interest in the publication of the photograph because the controller wanted to collect payment for the dress.
Holding[edit | edit source]
First, the Spanish DPA recalled the conditions for valid consent under Article 4(11) GDPR and Article 6(1) LOPDGDD (National data protection law aimed at the implementation of the GDPR). In both articles, consent is defined as "any manifestation of free, specific, informed and unequivocal will" expressed through a statement or clear affirmative action. Further, it stated that consent is one of the valid legal bases under Article 6 GDPR.
In this regard, the DPA noted that there was no valid consent given by the complainant as the reposting or tagging in social media posts cannot count as clear affirmative action. Moreover, the lack of payment did not legitimise the controller to use the images of the complainant without their express consent. Therefore, the DPA concluded that there was no valid legal basis for the processing of personal data in form of publishing photographs of the complainant on Instagram.
The DPA imposed a €10,000 fine on the controller for violating Article 6 GDPR.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/10 File No.: EXP202104917 RESOLUTION OF PUNISHMENT PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: A.A.A. (hereinafter, the complaining party) dated September 24, 2021 filed a claim with the Spanish Data Protection Agency. The claim is directed against SOPHIE ET VOILA, S.L. with NIF B95827952 (in hereafter, the party claimed). The reason on which the claim is based is that the respondent party has published in Instagram a photo showing the claimant dressed in her wedding attire. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, of Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), on November 29, 2021, said communication was claim to the claimed party, so that it proceeded to its analysis and inform the this Agency within a month, of the actions carried out to adapt to the requirements set forth in the data protection regulations. On January 14, 2022, in response to the aforementioned request, the party claimed indicates that at no time are the claimants identified, since the photographs they only showed the figures of two people, a man and a woman, with their faces totally covered by a black circle that did not make them identifiable. Said entity considers that for there to be an infringement of the rights conferred in the RGPD, there must be a treatment of the personal data of the claimants, and the publication of a photograph, which has been deliberately modified so as not to make its members recognizable, cannot be considered a treatment illicit, on the contrary, it could be proof of the security measures adopted, in this case, the anonymization of the data and guarantee their confidentiality. He supports his statements alleging that article 4 of the aforementioned RGPD under the rubric “Definitions” means personal data “all information about a natural person identified or identifiable ("the interested party"); shall be considered an identifiable natural person any person whose identity can be determined, directly or indirectly, in by an identifier, such as a name, phone number, identification, location data, an online identifier, or one or more elements own physical, physiological, genetic, mental, economic, cultural or social status of that person. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/10 It is stated that the anonymized images of the complainants cannot be considered personal data and, therefore, its publication cannot be considered a treatment subject to the GDPR. It also considers that in the surprising event that it were understood that the images that appear in the photograph are personal data, the terms and conditions of the social network (Instagram) that contemplate the possibility of that a user can publish photos in which third parties appear, offering a way to report such uses in case of not agreeing with them, via the claimants did not exercise. He concludes by pointing out that the images were published for less than an hour, for which again in the event that the existence of a treatment of personal data contrary to the RGPD, the infringement would lack sufficient entity and that, in any case, if the arguments of the complainant were taken into account, perhaps it would be convenient to assess article 76.2.d) of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights. THIRD: On December 24, 2021, in accordance with article 65 of the LOPDGDD, the claim presented by the claimant was admitted for processing. FOURTH: On April 1, 2022, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure against the claimed party, for the alleged infringement of Article 6 of the RGPD, typified in Article 83.5 of the GDPR. FIFTH: Notification of the aforementioned start-up agreement in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations (hereinafter, LPACAP), the respondent filed a written of allegations in which, in summary, it states that the complainant published her photography on August 29 and tagged Sophie et Voilá. The entity complained against considers that the labeling by the complainant to the entity claimed on Instagram, without a doubt it is a clear action in which the complainant is interested in making public that our client is responsible of making your dress. As can be seen from the facts, Sophie et Voilá reposts the publication of the complainant on August 29, without the complainant having shown any type of annoyance, it is more on September 25 again publishes another photograph and also tag Sophie et Voilá, which shows your complete compliance with the work of my represented and of course with the reposting of them. This action is a free and positive affirmative action by the party claimant by labeling my client who should be 11 considered as a consent in the publication of the images by my client. SIXTH: On May 25, 2022, the instructor of the procedure considers reproduced for evidentiary purposes the claim filed by the claimant and its documentation, the documents obtained and generated and are considered reproduced at C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/10 evidentiary purposes, the allegations to the agreement to initiate the procedure sanctioning referenced, presented by SOPHIE ET VOILA, S.L., and the accompanying documentation. SEVENTH: On May 31, 2022, a resolution proposal was formulated, proposing that the Director of the Spanish Data Protection Agency sanction to SOPHIE ET VOILA, S.L., with NIF B95827952, for an infringement of article 6 of the RGPD, typified in article 83.5 of the RGPD, with a fine of €10,000 (ten thousand euros). Of the actions carried out in this procedure and the documentation in the file, the following have been accredited: PROVEN FACTS FIRST: A photo showing the complaining party has been published on Instagram dressed in her wedding dress, by the entity that made her dress, to get it paid. The images published by the complained party if they were identifiable, and the objective of his post was to collect sales of purchased wedding suits. SECOND: The entity claimed alleges that said photos were posted by the claimant previously and that when the claimed party in turn posted such images pixelated his face. FOUNDATIONS OF LAW Yo In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47 and 48.1 of the Law Organic 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Data Protection Agency. Likewise, article 63.2 of the LOPDGDD determines that: “The procedures processed by the Spanish Agency for Data Protection will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations issued in its development and, as long as they do not contradict them, with a subsidiary, by the general rules on administrative procedures.” II Article 4.11 of the RGPD defines the consent of the interested party as "any manifestation of free, specific, informed and unequivocal will by which the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/10 The interested party accepts, either by means of a declaration or a clear affirmative action, the processing of personal data concerning you”. In this sense, article 6.1 of the LOPDGDD, establishes that "in accordance with the provided in article 4.11 of Regulation (EU) 2016/679, consent is understood affected person, any manifestation of free, specific, informed and inappropriate will. equivocal by which he accepts, either through a statement or a clear action affirmative, the treatment of personal data that concerns you”. For its part, article 6 of the GDPR establishes the following: "1. The processing will only be lawful if at least one of the following conditions is met: nes: a) the interested party gave their consent for the processing of their personal data for one or more specific purposes; b) the treatment is necessary for the execution of a contract in which the interested party is part of or for the application at the request of the latter of pre-contractual measures; c) the treatment is necessary for the fulfillment of a legal obligation applicable to the data controller; d) the treatment is necessary to protect the vital interests of the interested party or another Physical person; e) the treatment is necessary for the fulfillment of a mission carried out in the interest public or in the exercise of public powers vested in the data controller; f) the treatment is necessary for the satisfaction of legitimate interests pursued by the data controller or by a third party, provided that said interests interests do not prevail or the fundamental rights and freedoms of the interest cases that require the protection of personal data, in particular when the interested sado be a child. The provisions of letter f) of the first paragraph shall not apply to the processing carried out by public authorities in the exercise of their functions.” III In the present case, the complaining party denounces the defendant because he has posted on Instagram a photo showing the claimants dressed in their wedding suits According to the party complained against, in the photo the complaining party's face is totally covered by a black circle. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/10 The respondent states that she has been publishing her designs since 2014 on Instagram and that the The basis that legitimizes the treatment is the legitimate interest. In addition, he states that the photo was published for an hour and was removed when the bride finally paid for her wedding dress. The entity claimed states that recital 26 of the RGPD establishes the Next: “The principles of data protection must apply to all information relating to to an identified or identifiable natural person. Pseudonymized personal data, which could be attributed to a natural person through the use of additional information, should be considered information about an identifiable natural person. In determining whether a natural person is identifiable, all the means, such as singularization, that the person in charge can reasonably use of the treatment or any other person to identify directly or indirectly the Physical person. To determine whether there is a reasonable probability that means will be used to identify a natural person, all objective factors must be taken into account, as the costs and time required for identification, taking into account both technology available at the time of treatment such as advances technological. Therefore, data protection principles should not apply to information anonymous, i.e. information that is not related to a natural person identified or identifiable, nor to the data anonymised in such a way that the interested party is not identifiable, or ceases to be so. Consequently, this Regulation does not affect the treatment of such anonymous information, including for statistical or research purposes. “ Well, applying this definition and the aforementioned recital, we cannot understand that the photographs in which the faces of those who appear are covered comply with none of these requirements, since the bridal attire of both claimants did not makes them identifiable in any case. It must be taken into account that the complainant published her photograph on Instagram on the day August 29, 2020 and tagged the claimed entity. The labeling of my client is undoubtedly a clear action in which the company itself complainant is interested in making public that our client is responsible of making your dress. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/10 As can be seen in the facts, the claimed entity reposts the publication of the complainant on August 29, 2020, without the complainant having shown no kind of hassle, it is more on September 25, 2020 again publish another photograph and also tag the claimed entity, proving its complete in accordance with the work of my representative and of course with the reposting of the themselves. This action, which we will discuss later, is a free affirmative action and in positive on the part of the claimant when labeling my client that must be considered as a consent in the publication of the images by My client. In relation to the anonymization action of the images or their pixelation, we must bear in mind that on several occasions the Spanish Protection Agency itself of Data recommends this type of techniques for the publication of images in the media. For example, recently the AEPD, coinciding with the confinement situation, recalled the risks of spreading images of people on social networks and recommended that digital parameters be used that prevent distinguishing features facials. The respondent states that she has been publishing her designs since 2014 on Instagram and that the The basis that legitimizes the treatment is the legitimate interest. In addition, he states that the photo was published for an hour and was removed when the bride finally paid for her wedding dress. This Agency considers that the images published by the claimed party, if they were identifiable and therefore were published on Instagram by the claimed with the purpose of charging for sales made, In this sense, it must be indicated that the lack of payment does not legitimize the claimed party to use the images of the claimants, if you do not have their express consent, therefore, an illicit treatment of personal data has been incurred. In addition, the personal data obtained from a social network or internet, without the concurrence of any of the bases of legitimacy foreseen in art. 6 of the GDPR. Therefore, it is considered that we are facing an illicit treatment of personal data, since in this case the respondent did not even attempt to obtain consent of the claimants for the use of their image, since they considered that they had an interest legitimate for its treatment. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/10 Its non-compliance supposes the infringement of article 6 of the RGPD indicated in the basis of law II, since the personal data have been processed without counting with no kind of legitimacy. IV Article 72.1 b) of the LOPDGDD states that “according to what is established in the article 83.5 of Regulation (EU) 2016/679, are considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: b) The processing of personal data without the concurrence of any of the conditions of legality of the treatment established in article 6 of Regulation (EU) 2016/679.” v In order to determine the administrative fine to be imposed, the provisions of articles 83.1 and 83.2 of the RGPD, precepts that indicate: “Each control authority will guarantee that the imposition of administrative fines under this Article for infringements of this Regulation indicated in sections 4, 5 and 6 are in each individual case effective, proportionate and dissuasive.” “Administrative fines will be imposed, depending on the circumstances of each individual case, in addition to or as a substitute for the measures contemplated in the Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administration and its amount in each individual case will be duly taken into account: a) the nature, seriousness and duration of the offence, taking into account the nature, scope or purpose of the processing operation in question as well such as the number of interested parties affected and the level of damages that have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the controller or processor to alleviate the damages suffered by the interested parties; d) the degree of responsibility of the person in charge or of the person in charge of the treatment, taking into account the technical or organizational measures that they have applied under of articles 25 and 32; e) any previous infringement committed by the person in charge or the person in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/10 particular whether the person in charge or the person in charge notified the infringement and, if so, in what measure; i) when the measures indicated in article 58, section 2, have been ordered previously against the person in charge or the person in charge in question in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under article 40 or mechanisms of certification approved in accordance with article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.” Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76, “Sanctions and corrective measures”, provides: "two. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 may also be taken into account: a) The continuing nature of the offence. b) The link between the activity of the offender and the performance of treatment of personal information. c) The profits obtained as a result of committing the offence. d) The possibility that the conduct of the affected party could have induced the commission of the offence. e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity. f) Affectation of the rights of minors. g) Have, when not mandatory, a data protection delegate. h) Submission by the person in charge or person in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which there are controversies between them and any interested party.” In accordance with the precepts transcribed, in order to set the amount of the sanction of fine to be imposed on SOPHIE ET VOILA, S.L. with NIF B95827952, as responsible for an infringement typified in article 83.5.a) of the RGPD, they are considered concurrent in the present case, as aggravating factors, the following factors: -there has been intentionality, since they indicate that they removed the images when paying for the suit bridal, in accordance with article 83.2 b of the RGPD. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/10 This infraction can be sanctioned with a fine of €20,000,000 maximum or, in the case of a company, an amount equivalent to a maximum of 4% of the global total annual turnover of the previous financial year, opting for the of greater amount, in accordance with article 83.5 of the RGPD. Pursuant to these criteria, it is considered appropriate to impose on the defendant entity a penalty of 10,000 euros (ten thousand euros), for the infringement of article 6 of the RGPD, regarding the processing of personal data, without the consent of the affected. In accordance with the foregoing, by the Director of the Agency Spanish Data Protection Therefore, in accordance with the applicable legislation and having assessed the criteria for graduation of sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE SOPHIE ET VOILA, S.L., with NIF B95827952, for a infringement of article 6 of the RGPD, typified in article 83.5 of the RGPD, a fine of 10,000 euros (ten thousand euros). SECOND: NOTIFY this resolution to SOPHIE ET VOILA, S.L. THIRD: Warn the sanctioned party that he must make the imposed sanction effective once Once this resolution is enforceable, in accordance with the provisions of the Article 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter LPACAP), within the payment term voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, through its entry, indicating the NIF of the sanctioned and the number of procedure that appears in the heading of this document, in the account restricted number ES00 0000 0000 0000 0000 0000, opened on behalf of the Agency Spanish Department of Data Protection in the banking entity CAIXABANK, S.A.. In case Otherwise, it will be collected in the executive period. Received the notification and once executed, if the date of execution is between the 1st and 15th of each month, both inclusive, the term to make the payment voluntary will be until the 20th day of the following month or immediately after, and if between the 16th and last day of each month, both inclusive, the payment term It will be until the 5th of the second following month or immediately after. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month from counting from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/10 National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following the notification of this act, as provided in article 46.1 of the aforementioned Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the firm resolution in administrative proceedings if the The interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact by writing addressed to the Spanish Agency for Data Protection, presenting it through Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registers provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the documentation proving the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would end the precautionary suspension. 938-050522 Sea Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es