AEPD (Spain) - PS/00191/2022

From GDPRhub
AEPD - PS/00191/2022
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(c) GDPR
Type: Investigation
Outcome: Violation Found
Started: 25.04.2022
Fine: 50.000 EUR
Parties: Conecta5 Telecinco
National Case Number/Name: PS/00191/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Bernardo Armentano

The Spanish DPA found that the publication of the voice of a crime victim violated their right to privacy as their identity was not relevant for the general public. It fined the publisher €50,000 for violating Article 5(1)(c) GDPR.

English Summary


The data subject was the victim of a crime that was being covered by the media in Spain. During the case trial, the the data subject gave a testimony reporting the details of the crime. Telecinco, the controller, and other media channels, released the original audio without distorting the data subject's voice.

The DPA initiated an investigation after a complaint was filed and ordered the controller to remove the data subject's voice from their website. In response, the controller argued that the mere hypothetical possibility of singling out an individual is not sufficient to consider the person as identifiable. In their view, taking into account all the means that may reasonably be used by the controller or any other person, such a possibility does not exist or is either negligible. Therefore, the voice cannot be considered as personal data. It also claimed that the original source of the data was the Court, which distributed the recording to all media channels without applying any prior voice distortion or giving any instructions in this regard. Finally, it alleged that coverage of crimes is of public interest and that restricting the publication would infringe their right to freedom of expression.


The DPA stated that the voice is personal data since it enables the identification of an individual, regardless of the number of persons who may recognise it. It emphasized that it is an individual attribute defined by its pitch, intensity and timbre. According to the DPA, the voice is endowed with unique and singular distinctive features that makes it possible to infer not only the person's age, sex and state of health but also their way of being, culture, origin and their hormonal, emotional and psychic state. In this sense, elements of expression, idiolect or intonation are also personal data considered together with the voice. It highlighted that, in line with Recital 75 GDPR, risk must be interpreted as any circumstance that may give rise to a damage, without the need for this damage to materialise.

In the case at hand, there was a high risk that the victim would be identified at the very least in their closest circle and then subjected to a second victimization. The DPA clarified that the object of the investigation was the dissemination of the victim's voice by the media and not other data processings such as those carried out by the Court. It reaffirmed the position of Telecinco as a controller since it decided what data to publish and how. It noted that where there is a "processing chain", i.e. different and subsequent processing operations carried out by different controllers, each controller is responsible for the decisions it takes in its own sphere with regard to its processing. They cannot rely on what the previous controller did in order to be exempted from liability, just as they will not be held liable for the decisions taken by the controller further down the chain.

Finally, it recalled a decision from the Spanish Constitutional Court (27/2020), in which it analyzed whether the non-consensual reproduction of the image of an anonymous person who suddenly and involuntarily acquired a role in a newsworthy event, in this case as a victim, violated their individual rights. The Court held the limit of freedom of expression and access to information lies in the individualisation, direct or indirect, of the victim, as this data neither in the public interest nor relevant to the information provided. Likewise, the DPA found that although the facts under analysis were relevant for the general public, the identity of the victim was not, particularly because they are not a public figure.

Therefore, the DPA found that the controller processed data which were excessive for the purpose of informing the public and fined it €50,000 for violating Article 5(1)(c) GDPR.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

 File No.: PS/00191/2022
Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following
FIRST: D.A.A.A. (hereinafter, the claiming party), dated ***DATE.1,
filed a claim with the Spanish Data Protection Agency (hereinafter,
AEPD). The reasons on which the claim is based are the following:
The complaining party reported that several media outlets published in
their websites the audio of a victim's statement before the judge to illustrate the
news regarding the holding of the trial in a case that was highly mediated. The part
complainant provided links to news published on media websites
On ***DATE.2, a new letter sent by the party was received
claimant, stating that he had been able to verify that there were means that had
removed that information, although it accompanied publications made by some
outlets on Twitter where it continued to be available.
SECOND: Dated ***DATE.3, in accordance with article 65 of the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter, LOPDGDD), the claim was admitted for processing
submitted by the complaining party.
THIRD: The General Subdirectorate of Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
matter, by virtue of the investigative powers granted to the supervisory authorities
in article 58.1 of Regulation (EU) 2016/679 (General Regulation of Protection
of Data, hereinafter GDPR), and in accordance with the provisions of Title VII,
Chapter I, Second Section, of the LOPDGDD, having knowledge of the following
During the investigation actions, publications were found, more than
those initially denounced by the complaining party, where the voice of the complainant could be heard
undistorted victim. Among them, the following CONECTA5 publication
TELECINCO, S.A.U, with NIF A82432279 (hereinafter, the claimed party):
On ***DATE.4, the defendant was notified of a precautionary withdrawal measure
urgent content or distorted voice of the intervener
so as to be unidentifiable in the web address from which it was
accessible this content.
C/ Jorge Juan, 6
28001 – Madrid
On ***DATE.5, a letter sent by this entity was received by this Agency
informing that it had proceeded to give immediate and full compliance to the
practiced requirements; verifying the deletion of the news.
FOURTH: On April 25, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate disciplinary proceedings against the claimed party,
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1,
of the Common Administrative Procedure of Public Administrations (in
hereafter, LPACAP), for the alleged infringement of article 5.1.c) of the GDPR, classified as
in article 83.5.a).
FIFTH: Notified of the aforementioned start-up agreement in accordance with the rules established in
the LPACAP, the claimed party submitted a brief of allegations on May 10,
2022 in which, in summary, he stated that:
1.- The voice is not considered as a personal data, because not all own attribute and
individual of a person is a personal data, but only those that
identify or allow us to identify the specific person.
For this purpose, it invokes Opinion 4/2007 on the concept of personal data of the Group
of Labor of Article 29, which indicates that a person can be considered "identified"
natural person when, within a group of people, he is "distinguished" from all
other members of the group; the natural person is "identifiable" when, although not
has yet identified it, it is possible to do so. And that the identification is achieved
normally through specific data that we can call "identifiers" and that
They have a privileged and very close relationship with a certain person.
It indicates the claimed party that never identified the victim basically because
He was unaware and still is unaware of that identity. And that the information he gave was
limited to some circumstances of the event, to procedural information, the sex of the
victim and her voice.
It states that in order to consider whether the voice is sufficient to identify the person,
circumstances must be taken into account. And that in the case that
we are concerned with, the voice, as can be verified in the recordings issued in its day,
is the � � � � � �
, a fact that he considers should not be left aside, since
it is about assessing whether the voice alone is capable of individualizing the victim among a
certain group, daring to say that this group is so indeterminate and wide
like that of young women (...) ***LOCATION.1. Therefore, he denies
categorically that the voice can single out the victim among all the women
young people who were in ***LOCATION.1 on the day of the events.
For all these reasons, it considers that neither the voice nor the information it disclosed are identifiers
enough to single out the person within the reference group to the point
that it can be identified.
He goes on to indicate that another element that he considers particularly important to ponder
is that of the necessary means for the identification of a person, invoking the
effect recital 26 of the GDPR:
C/ Jorge Juan, 6
28001 – Madrid