AEPD (Spain) - PS/00043/2021

From GDPRhub
Revision as of 13:40, 27 April 2022 by SR (talk | contribs) (→‎Holding)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD (Spain) - PS/00043/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 58(2) GDPR
Article 83(2) GDPR
Article 83(5) GDPR
Article 65, LOPDGDD
Articles 47, 48(1) LOPDGDD
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: 500 EUR
Parties: n/a
National Case Number/Name: PS/00043/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Jennifer Vidal Ferreira

The Spanish DPA issued a fine of €500 against an association of property owners for violating Article 5(1)(f) GDPR by posting the personal data of its members, including their debtor status, on a residential building's display board.

English Summary

Facts

A data subject lodged a complaint with the Spanish DPA (AEPD) claiming that the home owner association of the residential blocks where he resides had disclosed the personal data of all its members on display boards placed on the ground portal of the three buildings included in the community. The information sheet on the display board contained the data subjects' name and surname, as well as apartment details (building, floor, and apartment number) and their condition as debtors or non-debtors. Because of the fact that the display boards were located on the ground floor portal of the buildings, the data subject argued that his personal data was exposed to third parties who might not be members of the residential community and the home owner association.

The association initially claimed that the disclosure of this information within the community was not subject to data protection laws, and that placing the information on the display board was a decision taken by the owner assembly, and hence with the association members' consent. However, once the AEPD initiated the proceedings, the association changed its stance and acknowledged that placing the information on the display boards was in breach of GDPR, and that the information had been displayed in this way as an exceptional measure to provide relevant information normally disclosed in their regular association meetings, which had been cancelled due to the COVID-19 pandemic.

Additionally, the association stated that it had not only taken down the information sheet from the display boards, but that it had also personally apologised to the data subject through a representative, informing him that they had not acted in bad faith or with any intent to damage his reputation.

Holding

The AEPD held that the home owner association had violated the principle of integrity and confidentiality under Article 5(1)(f) GDPR, and issued a fine of €500 euros. When determining the sum of the fine, the AEPD took into consideration as mitigating factors: the fact that the association had not committed any previous GDPR violations; that it had remedied the situation by taking down the information sheet from the display board; that it had given the data subject ample explanations and apologies; and lastly, that the breach occurred due to exceptional circumstances.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                 1/7










     File No.: PS/00043/2021


                RESOLUTION OF PUNISHMENT PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following


                                   BACKGROUND

FIRST: D.A.A.A. (hereinafter, the claimant) dated September 1,
2020 filed a claim with the Spanish Data Protection Agency. The
claim is directed against the OWNERS COMMUNITY ***ADDRESS.1, with

CIF *** CIF.1 (hereinafter, the claimed one).

The reasons on which the claim is based are that it has proceeded, by the
Presidency of the Community of Owners, to be placed on the bulletin boards
a list of debtor owners, including the claimant.
Specifically, the first on the list. The reason for its publication is discretionary,

because it does not obey any Assembly call, nor any publication of
any past Assembly Minutes.
The Community of Owners consists of three blocks, with their respective boards of
advertisements. These publications have been in the 3 boards of the community. The
location of the respective bulletin boards is inside the portals,

all boards are locked and exposed to third party viewing
people outside this community.

Along with the claim, it provides a photograph of the community bulletin board, with
the lists of owners of all the blocks (debtors and non-debtors) in which

consists of name and surnames, block, floor and letter. It also provides other photographs in the
It can be seen that the bulletin board is located on the ground floor, which
would correspond to the portal of the building.

SECOND: In view of the facts denounced in the claim and the
documents provided by the claimant, the claim was transferred to the claimant, the

October 7, 2020 (repeated on October 19, 2020), requiring you to:
"Within a maximum period of one month, from the receipt of this letter, you must analyze the
claim and send this Agency the following information:
The decision made regarding this claim.
In the event of exercising the rights regulated in articles 15 to 22 of the

RGPD, accreditation of the response provided to the claimant.
Report on the causes that have motivated the incidence that has originated the
claim.
Report on the measures adopted to prevent incidents from occurring
similar, dates of implementation and controls carried out to verify their effectiveness.

Any other that you consider relevant.”

In response to the aforementioned request, the Administrator of the Community of
Owners states that "... we consider that, in general, the publication

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 2/7








on the notice board of the community of a list of owners that is not
are up to date in payment of their fees is not covered by the regulations of
Data Protection."

“That, on August 12, 2020, a letter was sent to all the owners of this
Community where they were informed: “Due to the situation created by the pandemic
of COVID-19 we have not been able to convene the ordinary meeting in order to present
annual accounts, renewal of charges, pending issues, etc. However we have
decided, for the purposes of greater information of the owners, to publish the
accounts for the entire year 2019, and from January to July 2020, and leave the other

Topics for a next regular meeting.”
“That, in accordance with the provisions of the Horizontal Property Law,
public, in those annual accounts, the identity of the debtors and their debts with the
community, allowing this same Law to be published on the Notice Board of
community, (….). However, the aforementioned publication has been made in

compliance with an express agreement adopted by the Board of Owners, so
We humbly believe that we will find ourselves before a transfer of data with
prior consent of the interested parties, which in principle would not violate the
regulations on the protection of personal data.”
The Administrator of the Community of Owners provides a copy of the letter that says
having sent to all the owners, without it being indicated that the

posting on the Community Notice Board is to be made in
compliance with an express agreement of the Board of Owners. This letter is
signed by the Administrator, although the names of the President and of the
two vowels, one from block 3-4 and another from block 6-7, but not a vowel from block 5.
On the other hand, although the letter is dated August 12, 2020, the signature of the

Administrator in said letter is dated November 9, 2020, a date that coincides with the
signature of the response to the request of this Agency.

THIRD: On February 1, 2021, in accordance with article 65 of the
LOPDGDD, the Director of the Spanish Data Protection Agency agreed

admit for processing the claim filed by the claimant against the entity
claimed.

FOURTH: On June 11, 2021, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure against the claimed entity,
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1,

of the Common Administrative Procedure of the Public Administrations (in
hereinafter, LPACAP), for the alleged infringement of article 5.1.f) of the RGPD, typified
in article 83.5 of the RGPD.

FIFTH: Having been notified of the aforementioned initiation agreement, the entity claimed submitted a written

of allegations in which, in summary, it stated that it expressly recognizes that
the established legal precepts have been infringed, but without any intention of
cause damage to the owner, to the claimant. The community never wanted
damage the honor or acted with intent towards the claimant, proof of this is that the
administrator and representative of the community, contacted him and gave him

all possible explanations, in addition to personally apologizing,
explained that the facts that he mentioned in his claim in no case existed
bad faith on the part of the community and that in future calls the community
will publicly retract such non-compliance, non-compliance that is derived from

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 3/7








an exceptional situation due to the impossibility of holding the ordinary meeting
scheduled. It has ordered that the listings subject to the
claim, as evidenced in the attached document (Photographs of the planks).


SIXTH: On January 19, 2022, a resolution proposal was formulated,
proposing that the Director of the Spanish Data Protection Agency sanction
to the OWNERS COMMUNITY ***ADDRESS.1, with CIF ***CIF.1, for a
infringement of Article 5.1.f) of the RGPD, typified in Article 83.5 of the RGPD, with a
fine of FIVE HUNDRED € (500 euros).


SEVENTH: On January 30, 2022, ten calendar days after the
made available to the notification, without the claimed party having agreed to its
content, is understood to be rejected, in accordance with article 43.2 of the LPACAP.


Of the actions carried out in this procedure and the documentation
in the file, the following have been accredited:

                                      ACTS

FIRST: The Presidency of the Community of

Owners, to post on the bulletin boards a list of debtor owners,
among which is the complaining party (the first on the list), and non-debtors.
The Community of Owners consists of three blocks, with their respective boards of
advertisements. These publications have been in the 3 boards of the community. The
location of the respective bulletin boards is inside the portals,

all boards are locked and exposed to third party viewing
people outside this community. In the lists of owners of all the
blocks (debtors and non-debtors) includes name and surname, block, floor and letter. The
notice board is located on the ground floor, which would correspond to the portal
of the building.


SECOND: The claimed entity expressly acknowledges that the
established legal precepts, but without any intention of causing damage to the
owner, to the claimant. The community at no time wanted to harm the
honor or acted with intent towards the claimant, proof of this is that the
administrator and representative of the community, contacted him and gave him

all possible explanations, in addition to personally apologizing,
explained that the facts that he mentioned in his claim in no case existed
bad faith on the part of the community and that in future calls the community
will publicly retract such non-compliance, non-compliance that is derived from
an exceptional situation due to the impossibility of holding the ordinary meeting

scheduled. It has ordered that the listings subject to the
claim, as evidenced in the attached document (Photographs of the planks).

                           FOUNDATIONS OF LAW


                                           I

In accordance with the powers that article 58.2 of (EU) 2016/679 (Regulation
General Data Protection, hereinafter RGPD), grants each authority of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 4/7








control and according to the provisions of articles 47 and 48.1 of Organic Law 3/2018, of
December 5, Protection of Personal Data and guarantee of rights
(hereinafter, LOPDGDD), is competent to initiate and resolve this

procedure the Director of the Spanish Data Protection Agency.

Likewise, article 63.2 of the LOPDGDD determines that: “The procedures
processed by the Spanish Agency for Data Protection will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations issued in its development and, as long as they do not contradict them, with a

subsidiary, by the general rules on administrative procedures.”

                                            II

In accordance with the evidence available at the present time of the

sanctioning procedure, it is considered that the proven facts constitute
of infraction.
The defendant is accused of committing an infraction for violation of the
Article 5.1.f) of the RGPD, which states that:
"one. The personal data will be:
“f) processed in such a way as to guarantee adequate security of the data

including protection against unauthorized or unlawful processing and against
your transcript.
The infringement is typified in Article 83.5.a) of the RGPD, which considers as such:
“the basic principles for treatment, including the conditions for the
consent under articles 5, 6, 7 and 9”.


                                           III

This infraction can be sanctioned with a maximum fine of €20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the

global total annual turnover of the previous financial year, opting for the
of greater amount, in accordance with article 83.5 of the RGPD.

In this sense, the actions taken by the claimed party are relevant.
upon learning of the claim of which it was informed by this AEPD and the measures
adopted, having to report on them within the procedure, being able to

in the resolution, adopt the appropriate ones for its adjustment to the regulations.

                                           IV

Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the

following criteria established by article 83.2 of the RGPD:
2. Administrative fines will be imposed, depending on the circumstances of each
individual case, in addition to or as a substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administration and its amount in each individual case will be duly taken into account:

a) the nature, seriousness and duration of the offence, taking into account the
nature, scope or purpose of the processing operation in question, as well
such as the number of interested parties affected and the level of damages that
have suffered;

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 5/7








b) intentionality or negligence in the infringement;
c) any measure taken by the controller or processor to
alleviate the damages suffered by the interested parties;

d) the degree of responsibility of the person in charge or of the person in charge of the treatment,
taking into account the technical or organizational measures that they have applied under
of articles 25 and 32;
e) any previous infringement committed by the person in charge or the person in charge of the treatment;
f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;

g) the categories of personal data affected by the infringement;
h) the way in which the supervisory authority became aware of the infringement, in
particular whether the person in charge or the person in charge notified the infringement and, if so, in what
extent;
i) when the measures indicated in article 58, section 2, have been ordered

previously against the person in charge or the person in charge in question in relation to the
same matter, compliance with said measures;
j) adherence to codes of conduct under article 40 or mechanisms of
certification approved in accordance with article 42,
k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, directly or

indirectly, through the infringement.”

                                            v

In accordance with the precepts transcribed, in order to set the amount of the penalty for

infringement of article 5.1 f) to the claimed party, as responsible for the aforementioned
infringement typified in article 83.5 of the RGPD, and estimated the allegations
filed by the respondent, due to the circumstances of the case, it is appropriate to graduate
the fine taking into account the following mitigating factors:
. Non-existence of antecedents.

. Recognition of the infraction, which has been remedied in its entirety once
received the agreement to start this procedure, deleting all the data
bulletin board staff.
. Compliance with the measures imposed in the Start Agreement, by the person in charge
or in charge of the treatment, so that the treatment operations are adjusted to the
GDPR provisions.

. Measures taken to mitigate damages and losses suffered: the administrator and
representative of the community, contacted the complaining party and gave him
all possible explanations, in addition to personally apologizing,
explained that the facts that he mentioned in his claim in no case existed
bad faith on the part of the community and that in future calls the community

will retract such non-compliance publicly.
. The breach is derived from an exceptional situation due to the impossibility of
carry out the regular scheduled meeting of the Community of Owners.

Considering the exposed factors, the valuation that reaches the amount of the fine

is €500 for violation of article 5.1 f) of the RGPD.




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 6/7









Therefore, in accordance with the applicable legislation and having assessed the criteria for
graduation of the sanctions whose existence has been proven, the Director of the

Spanish Data Protection Agency RESOLVES:

FIRST: IMPOSE the OWNERS COMMUNITY *** ADDRESS.1, with CIF
*** CIF.1, for an infringement of Article 5.1.f) of the RGPD, typified in Article 83.5
of the RGPD, a fine of €500 (FIVE HUNDRED euros).


SECOND: NOTIFY this resolution to the OWNERS COMMUNITY
***ADDRESS 1.

THIRD: Warn the sanctioned party that he must make the imposed sanction effective once
Once this resolution is enforceable, in accordance with the provisions of the

art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter LPACAP), within the payment term
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, through its entry, indicating the NIF of the sanctioned and the number
of procedure that appears in the heading of this document, in the account

restricted number ES00 0000 0000 0000 0000 0000, opened on behalf of the Agency
Spanish Department of Data Protection in the banking entity CAIXABANK, S.A.. In case
Otherwise, it will be collected in the executive period.

Received the notification and once executed, if the date of execution is

between the 1st and 15th of each month, both inclusive, the term to make the payment
voluntary will be until the 20th day of the following month or immediately after, and if
between the 16th and last day of each month, both inclusive, the payment term
It will be until the 5th of the second following month or immediately after.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the

Director of the Spanish Agency for Data Protection within a month from
counting from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the

Contentious-administrative jurisdiction, within a period of two months from the
day following the notification of this act, as provided in article 46.1 of the
aforementioned Law.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,

may provisionally suspend the firm resolution in administrative proceedings if the
The interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact by
writing addressed to the Spanish Agency for Data Protection, presenting it through

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 7/7









Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica-

web/], or through any of the other registers provided for in art. 16.4 of the
aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the
documentation proving the effective filing of the contentious appeal-

administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would end the precautionary suspension.



                                                                                  938-270122



Sea Spain Marti
Director of the Spanish Data Protection Agency

















































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es