AEPD (Spain) - PS/00048/2021

From GDPRhub
AEPD - PS/00048/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5 GDPR
Article 6 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 22.03.2021
Fine: None
Parties: ASOCIACIÓN DETRABAJADORES PENITENCIARIOS TU ABANDONO ME PUEDE MATAR
National Case Number/Name: PS/00048/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: n/a

The Spanish DPA (AEPD) imposed a warning on an association for the protection of prison workers for publishing personal data without consent on Twitter.

English Summary

Facts

An association for the protection of prison workers published on Twitter a settlement proceedings documents in which the address of the claimant could be seen. The picture of it received several retweets so it reached a high amount of people. It was, however, deleted 15 minutes after its publication.

Dispute

Is this behaviour in line with Articles 5 and 6 GDPR?

Holding

The AEPD held that publishing personal data on Twitter without the consent of the claimant is a violation of Article 6 GDPR, due to the lack of consent, in relation with Article 5 GDPR, that is infringed due to the violation of the principle of confidentiality. The AEPD imposed a warning to the association.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                 1/6








     Procedure No.: PS / 00048/2021

                RESOLUTION OF SANCTIONING PROCEDURE


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following:

                                   BACKGROUND


FIRST: D. A.A.A. in the name and on behalf of Ms. B.B.B. (hereinafter, the
claimant) on August 5, 2019 filed a claim with the Agency
Spanish Data Protection. The claim is directed against the ASSOCIATION OF
PENITENTIARY WORKERS YOUR ABANDONMENT CAN KILL ME with NIF
G88300991 (hereinafter, the claimed one).


The claimant states: “that on August 2, 2018, the defendant proceeded
to disseminate through the social network Twitter a copy of an alleged demand for an act of
conciliation that would have been filed with the claimant.


This request includes your personal data including your home address.
that it is not a public data or accessible to third parties.

Due to her work, the claimant is a public person, not her domicile, and the
disclosure of said data.


The dissemination of the data has been massive as reflected by the number of retweets and
favorites that tweet in question ”.

       And, it provides the following documentation, among others: The document published in
Twitter, which contains the home address of the claimant.


SECOND: In view of the facts stated, on October 1,
2019 and on the 14th of the same month and year, the claim for the claimed
report:


    1. “The decision taken regarding this claim.


    1. In the event of exercising the rights regulated in articles 15 to 22

       of the RGPD, accreditation of the response provided to the claimant.


    2. Report on the causes that have motivated the incidence that has originated the
       claim.


    3. Report on the measures adopted to prevent incidents from occurring
       similar, implementation dates and controls carried out to verify their
       effectiveness.


    4. Any other that you consider relevant. "
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/6









       Thus, on October 12, 2019, the notification service
electronic, returned the aforementioned notification, as the deadline for putting into

disposition and on November 8, 2019, it was returned by the postal service, by
said shipment not to be withdrawn from the post office.

THIRD: On January 18, 2021, the respondent states: “that my
constituents withdrew from their Twitter account the document published in a
immediate, not being the same on the network for more than 15 minutes, being published by
error, error that once warned caused the immediate withdrawal of the publication, fact
which is easily verifiable by the Agency to which I am writing, leaving no trace

of any kind of networks, nor of the data, nor of the content of the conciliation
published by mistake, a fact that caused the complainant not to suffer any damage ”.


FOURTH: On February 18, 2021, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure against the ASSOCIATION
OF PENITENTIARY WORKERS YOUR ABANDONMENT CAN KILL ME, for the
alleged violation of Article 6 of the RGPD, typified in Article 83.5 a) of the RGPD

in relation to article 72.1 b) of the LOPDGDD.

FIFTH: The Agreement to Initiate Sanctioning Procedure, was notified to the entity
claimed electronically, the date of making available being February 19
of 2021, as evidenced by the certificate issued by the FNMT that works in the
proceedings.


SIXTH: Formally notified of the initiation agreement, the respondent has submitted
brief of allegations on March 4, 2021, stating: “We must declare
that my constituents removed from their Twitter account the published document of
immediately, not being the same on the network for more than 15 minutes, being

published by mistake, an error that once noticed, caused the immediate withdrawal of the
publication, leaving no trace of any kind on the networks, neither of the data, nor of the
content of the conciliation published by mistake, a fact that motivated the complainant
would not suffer any harm.


       Therefore, having recognized the facts and not having any previous sanction,
taking into account the principle of proportionality and seriousness of what happened and the rapid
correction made, we request in application of art. 148 of the RGPD that the sanction
remain in a warning, showing our deepest regret for what
happened, not being our intention to cause harm to anyone, since everything is
It was due to an inadvertent error.


       We request: that they consider the facts to be recognized and if they consider that the
action is reprehensible, we request that taking into account the principles of seriousness and
proportionality, the sanction imposed on us is a Warning ”.


       In view of all the actions, by the Spanish Protection Agency
of Data in this procedure the following are considered proven facts:




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/6











                                      PROVEN FACTS


FIRST: It is on record that on August 2, 2018, the respondent proceeded to disseminate
by the social network Twitter a copy of an alleged demand for an act of conciliation

that would have been brought against the claimant.

        The aforementioned claim includes the personal data of the claimant
including your home address, which is not public data or accessible to third parties.


        Due to her work, the claimant is a public person, not her domicile, and the
disclosure of said data.

        The dissemination of the data has been massive as reflected by the number of retweets and
favorites that tweet in question.


SECOND: On March 4, 2021, the party claimed in its brief of
Allegations acknowledges the facts and agrees with the sanction imposed.



                               FOUNDATIONS OF LAW

                                              I

        By virtue of the powers that article 58.2 of the RGPD recognizes to each

control authority, and as established in arts. 47 and 48.1 of the LOPDPGDD, the
Director of the Spanish Data Protection Agency is competent to resolve
this procedure.

                                             II


        Article 6.1 of the RGPD, establishes the assumptions that allow considering
lawful processing of personal data.

        For its part, article 5 of the RGPD establishes that personal data will be:


        "A) treated in a lawful, loyal and transparent manner in relation to the interested party
("Lawfulness, fairness and transparency");

        b) collected for specific, explicit and legitimate purposes, and will not be processed

subsequently in a manner incompatible with said purposes; in accordance with article 89,
section 1, the subsequent processing of personal data for archiving purposes in
public interest, scientific and historical research purposes or statistical purposes are not
deemed incompatible with the original purposes ("purpose limitation");


        c) adequate, relevant and limited to what is necessary in relation to the purposes
for those who are processed ("data minimization");


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/6








        d) accurate and, if necessary, up-to-date; all measures will be taken
reasonable so that the personal data that
are inaccurate with respect to the purposes for which they are processed ("accuracy");


        e) maintained in a way that allows the identification of the interested parties
for no longer than is necessary for the purposes of data processing
personal; personal data may be kept for longer periods
provided that they are treated exclusively for archival purposes in the public interest, purposes of
scientific or historical research or statistical purposes, in accordance with article

89, paragraph 1, without prejudice to the application of technical and organizational measures
appropriate measures imposed by this Regulation in order to protect the rights and
freedoms of the interested party ("limitation of the conservation period");

        f) treated in such a way as to guarantee adequate security of the

personal data, including protection against unauthorized or illegal processing and
against their loss, destruction or accidental damage, by applying measures
appropriate technical or organizational ("integrity and confidentiality").

        The person responsible for the treatment will be responsible for compliance with the
provided for in section 1 and capable of demonstrating it ("proactive responsibility"). "


                                             III

        According to the available evidence, it is considered proven
that on August 2, 2018, the respondent proceeded to disseminate through the social network

Twitter an alleged lawsuit for a conciliation act that would have been filed against the
claimant where their personal data were included, including their home address.

        Therefore, it is found that the complainant spread the message on the social network
home of the claimant, and therefore is responsible for the

violation of confidentiality when disseminating said data, so it is considered that
has violated article 6.1 due to an illicit treatment of the personal data of the
claimant, in relation to article 5.1 f) of the RGPD, which governs the principles of
integrity and confidentiality of personal data, as well as responsibility
proactive of the controller to demonstrate compliance.

                                              IV



        Article 83.5 a) of the RGPD, considers that the infringement of “the basic principles
costs for the treatment, including the conditions for consent under the
Articles 5, 6, 7 and 9 ”is punishable, in accordance with section 5 of the aforementioned article.

Article 83 of the aforementioned Regulation, with administrative fines of € 20,000,000 at most
mo or, in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for the
of greater amount. "


      Article 58.2 of the RGPD indicates: "Each control authority will have all
the following corrective powers listed below:


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/6








       b) punish any person responsible or in charge of the treatment with warning
when the processing operations have infringed the provisions of this Re-
regulation;

       d) order the person in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where appropriate,

in a certain way and within a specified time. "


       Recital 148 points out:

       "In the event of a minor offense, or if the fine that is likely to be imposed
would constitute a disproportionate burden for an individual, rather than
sanction by fine may be imposed a warning. It must however

pay special attention to the nature, severity and duration of the offense, to its
intentional nature, to the measures taken to alleviate the damages suffered,
the degree of responsibility or any relevant prior infringement, the way in which
that the supervisory authority has had knowledge of the infringement, to the fulfillment
of measures ordered against the person in charge or in charge, to the adherence to codes of

conduct and any other aggravating or mitigating circumstance. "

       There are no penalties preceding the claimed, the activity of the claimed
It is not the usual data processing, nor was it intended to obtain benefits.


       The respondent has recognized this error, and it is clear that she withdrew from her
Twitter the document posted immediately.


                                            V


       Formally notified of the initiation agreement, the complainant has submitted a written
of allegations on March 4, 2021, stating: “We must state that my
constituents withdrew from their Twitter account the document published in a
immediate, not being the same on the network for more than 15 minutes, being published by
error, error that once warned, caused the immediate withdrawal of the publication, no

leaving a trace of any kind on the networks, neither of the data, nor of the content of the
conciliation published by mistake, a fact that caused the complainant not to suffer
no harm.

       Therefore, having recognized the facts and not having any previous sanction,

taking into account the principle of proportionality and seriousness of what happened and the rapid
correction made, we request in application of art. 148 of the RGPD that the sanction
remain in a warning, showing our deepest regret for what
happened, not being our intention to cause harm to anyone, since everything is
It was due to an inadvertent error.


       We request: that they consider the facts to be recognized and if they consider that the
action is reprehensible, we request that taking into account the principles of seriousness and
proportionality, the sanction imposed on us is a Warning ”.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/6









       Article 85 of Law 39/2015, of October 1, on the Procedure

Common Administrative of Public Administrations (hereinafter, LPACAP),
under the heading "Termination of sanctioning procedures" provides the
following:

       "one. Initiated a sanctioning procedure, if the offender acknowledges his

responsibility, the procedure may be resolved with the imposition of the sanction
that proceeds ”.

In accordance with the above, the Director of the Spanish Agency for the Protection of
Data RESOLVES:


FIRST: IMPOSE THE ASSOCIATION OF PENITENTIARY WORKERS YOUR
ABANDONMENT CAN KILL ME, with NIF G88300991, for an infraction of the article
6 of the RGPD, typified in article 83.5.a) of the RGPD, a warning sanction.


SECOND: NOTIFY this resolution to ASSOCIATION OF WORKERS
PENITENTIARIES YOUR ABANDONMENT CAN KILL ME, with NIF G88300991

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Contentious-Administrative Chamber of the

National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.


Mar Spain Martí
Director of the Spanish Agency for Data Protection



















C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es