AEPD (Spain) - PS/00200/2021

From GDPRhub
Revision as of 09:50, 5 August 2021 by Cvl (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD (Spain) - PS/00200/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 09.07.2021
Published: 30.07.2021
Fine: 2000 EUR
Parties: n/a
National Case Number/Name: PS/00200/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA fined the owner of a dating website €2000 for publishing contact data without the consent of the data subject.

English Summary

Facts

A data subject found out that their phone number had been uploaded to a dating website, along with the name and pictures of a different person, because they were receiving phone calls and whatsapp messages from unknown persons.

The data subject tried to contact the owner of the website to get their data deleted, without success.

The data from other persons had also been uploaded without consent.

The data subject lodged a complaint with the Spanish DPA (AEPD), that launched an investigation. The AEPD found who was the owner of the website, and additionally found that there was no security measure to verify the identity of the persons uploading personal data, in order to verify that the personal data uploaded belongs to such persons and is done with their consent.

Holding

The Spanish DPA concluded that the owner of the website was ultimately processing personal data without a legitimate basis from Article 6 GDPR, since some of the data uploaded to the website was done without the consent of the data subjects, as it was done by different persons and without their knowledge and consent.

For this, the AEPD fined the owner of the dating website €2000 for publishing contact data without the consent of the data subject, in breach of Article 6 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                               1/9








     Procedure No.: PS / 00200/2021

                RESOLUTION OF SANCTIONING PROCEDURE


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following:

                                  BACKGROUND



FIRST: The Unión Asociativa de Valencia UNAE, with NIF G46421673, in the name and
representation of Ms. A.A.A. (hereinafter, the claimant) dated February 18,
2020 filed a claim with the Spanish Data Protection Agency. The
claim is directed against Ms. B.B.B. with NIF *** NIF.1 (hereinafter, the claimed one).

The claimant states that on the web *** URL.1 (dating page with a sexual nature)

photos of people appear that do not correspond to the telephone numbers of
contact of these and that the claimant is being a direct victim of these events.
The images with the contact numbers are still active in *** URL.1 / CAT-
GIRLS that anyone can post an ad without there being any
personality verification control, via pin codes to the mobile entered to give yourself
high.


In addition, the contact form on the web, located at *** URL.1 / CONTACT is a
false contact.

Request that this web page be closed and that the telephone numbers be suppressed, in

specifically that of the claimant *** TELEPHONE. 1.

And, among other things, it provides the following documentation:

 Screenshot of the ad in the url *** URL.1 where the name of the
"Katy", a sexual photograph and the claimant's phone number.


 Copy of privacy policy located in the url
*** URL.1 / PRIVACY_POLICY where it appears in the section
"RECIPIENTS" that "The data will be communicated to the company *** COMPANY.1 with
who *** URL.1 has contracted their virtual services, ... "


 Copy of e-mail sent by “*** COMPANY.1,” on the 13th of
February 2020 at 12:06 p.m., which contains the following text:

Dear Ladies and Gentlemen,

 Further to your inquiry we would like to inform you that we have taken note oft he
circumstances as described by yourself and that we have taken the measures as
requested. Please understand that for data protection reasons we are unable to give
you any more information.
 With kind regards from Berlin,
 *** COMPANY.1 "


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/9








 Copy of email sent by A.A.A. @ GMAIL.COM, dated 13
February 2020 at 1:13 p.m., which contains the following text:


"Dear Sir or Madam,

Thank you so much for your answer and for having taking actions quickly.
How can you unable this site to indicate again new phone numbers without a
verification code? Can they do it again?

You have to alert the website that is not doing things right, they are doing illegal things
and they need to create a verification code if they ask for a number or email to double
check identity. The police in Spain will investigate them so they better stop doing this
type of illegal procedures.
I remain at your disposal for any further information.
Thank you.


Kind regards,

A.A.A. "
 Copy of email containing the following text:


"Hello,

  I continue seeing my phone number associated to the profile. Bottom- Left as shown
in the image. You just have to situate the mouse where it says "CALL" and it

appears.
  When do you think this will be solved?

  Thank you,


  A.A.A. "

 Copy of email sent by ABUSE-
SERVER@***EMPRESA.1.DE to A.A.A. @ GMAIL.COM dated February 13,
2020 at 13:50:51 in which the following text appears:

"
Dear Ladies and Gentlemen,

the problems will be solved shortly, please be patient


With kind regards from Berlin,

*** COMPANY.1 "

 Copy of report 940/20 from the General Directorate of the Police in which

The claimant appears on February 12, 2020, with the following
manifestations among others:

a) That your telephone number is the *** TELEPHONE. 1.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/9








b) That on 02/11/2020 around 10:00, he received WhatsApp from a person to
the one you do not know with a phone number *** PHONE 2 who wrote “Hello Katy
I've seen you at *** URL.1 and I'd like to meet you ”.


c) That the same day around 8:00 p.m. you receive a call from another person
unknown with phone number *** PHONE. 3.

d) That by entering the false profile you can contact via WhatsApp or
telephone with the claimant.


e) That in the fake profile where your phone appears you can see a person
Naked which she does not know, calling herself Katy.

f) That the complainant tried to contact the customer service of the

website, which apparently has an email that does not exist since it
they return the mails.

g) That the complainant states that she has never registered in any
page of this type.


 Copy of report 1008/20, from the General Directorate of the Police in which
The claimant appears on February 14, 2020, and performs the following
manifestations, among others:


a) That the claimant contacts another telephone number of a
woman listed on the web page *** URL.1 to check if that number
corresponds to the person in the photo, stating that this number belongs to a
person who claims to be called C.C.C., with telephone number *** TELEPHONE. 4.

b) That the claimant made a second call to another telephone number of

a woman who appears on the website *** URL.1 stating that this number
belongs to an 80-year-old woman who has neither consented nor has
proof of that web page.

SECOND: In accordance with the provisions of article 65.2 of the LOPDGDD, in

On March 9, 2020, the admission agreement for processing of this document is signed
claim.

THIRD: In view of the facts denounced in the claim and the
documents provided by the claimant and the facts and documents of which it has

this Agency, the Subdirectorate General for Data Inspection, has come to know
proceeded to carry out preliminary investigation actions for the
clarification of the facts in question, by virtue of the powers of investigation
granted to the control authorities in article 57.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter RGPD), and of
in accordance with the provisions of Title VII, Chapter I, Second Section, of the Law

Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter LOPDGDD).



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/9








As a result of the investigative actions carried out, it is verified that the
responsible for the treatment is the one claimed.


On 06/02/2020, it was checked against the web *** URL.1:

That the person responsible for the web does not appear in the privacy policy.

On 06/03/2020, it is checked against the web *** URL.1:


That the result of the query for the url *** URL.1 is a blank page.

On 06/16/2020, OVH HISPANO, S.L. send this Agency the following
information and statements:


That the person who has contracted the service *** URL.1 is B.B.B ..

On March 30, 2021, the postal address of the
claimed.

On the previous date, a request for information is sent to the respondent. The

notification is made by post and is listed with the status "wrong address" by
the postal service dated April 14, 2021.

On April 23, 2021, the Tax Agency, Planning and
Institutional Relations sends this Agency information on the fiscal address of the

claimed, being different from the previous one.

On the same date, a request for information is sent to the respondent. The
notification is made by post.


FOURTH: On May 10, 2021, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure to the claimed, by the
alleged violation of Article 6.1 of the RGPD, typified in Article 83.5.a) of the aforementioned
GDPR.

FIFTH: Having been notified of the agreement to initiate this procedure

sanctioning both through the postal service, as well as the notice board of the
BOE, on May 24 and June 14, 2021.

SIXTH: Formally notified of the initiation agreement, the one claimed at the time of the
This resolution has not submitted a brief of allegations, so it is

application of what is stated in article 64 of Law 39/2015, of October 1, of the
Common Administrative Procedure of Public Administrations, which in its
section f) establishes that in case of not making allegations within the established period
on the content of the initiation agreement, it may be considered a proposal for
resolution when it contains a precise pronouncement about the responsibility

imputed, for which a Resolution is issued.

       In view of all the actions, by the Spanish Protection Agency
of Data in this procedure the following are considered proven facts:

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/9










                                        ACTS


FIRST: It appears that on the web *** URL.1 (dating page with a sexual nature)
photos of people appear that do not correspond to the telephone numbers of
contact of these and that the claimant is being a direct victim of these events.
The images with the contact numbers are still active in *** URL.1 / CAT-

GIRLS that anyone can post an ad without there being any
personality verification control, via pin codes to the mobile entered to give yourself
high.

In addition, the contact form on the web, located at *** URL.1 / CONTACT is a

false contact.

SECOND: It is verified in the ad screenshot in the url *** URL.1 that
It includes the name of "Katy", a photograph of a sexual nature and the telephone number of the
claimant.


THIRD: On May 10, 2021, this sanctioning procedure was initiated by the
violation of article 6 of the RGPD, being notified. Not having made
allegations, the claimed one, to the initial agreement.




                           FOUNDATIONS OF LAW

                                            I


       By virtue of the powers that article 58.2 of the RGPD recognizes to each
control authority, and as established in articles 47 and 48 of the LOPDGDD,
the Director of the Spanish Data Protection Agency is competent to initiate
and to solve this procedure.


                                            II

         Article 6 of the RGPD, "Legality of the treatment", details in its section 1 the
cases in which the processing of third party data is considered lawful:


         "1. The treatment will only be lawful if it complies with at least one of the following
terms:

       a) the interested party gave their consent for the processing of their data

personal for one or more specific purposes;

       b) the treatment is necessary for the performance of a contract in which the
interested is part or for the application at the request of this of measures
pre-contractual;

(…) "


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/9








      The infringement for which the claimed entity is responsible is found
typified in article 83 of the RGPD that, under the heading "General conditions for
the imposition of administrative fines ”, it states:


      "5. Violations of the following provisions will be sanctioned, in accordance with
with section 2, with administrative fines of a maximum of 20,000,000 Eur or,
in the case of a company, an amount equivalent to a maximum of 4% of the
global total annual business volume of the previous financial year, opting for
the highest amount:


a) The basic principles for the treatment, including the conditions for the
consent in accordance with articles 5,6,7 and 9. "

      Organic Law 3/2018, on Protection of Personal Data and Guarantee of

Digital Rights (LOPDGDD) in its article 72, under the heading "Infractions
considered very serious ”provides:

      "1. Based on what is established in article 83.5 of the Regulation (E.U.)
2016/679 are considered very serious and will prescribe after three years the infractions that
suppose a substantial violation of the articles mentioned in that one and, in

in particular, the following:

       (…)
b) The processing of personal data without any of the conditions of
legality of the treatment established in article 6 of Regulation (EU) 2016/679. "


                                             III

      The documentation in the file provides evidence that the claimed
violated article 6.1 of the RGPD, due to lack of legitimacy in the treatment of the data of the

claimant's phone number, associated with an image of another person and unrelated appointments
consented, without having proven that they have the legal authorization to do so.

        Article 6.1 RGPD says that the treatment will be lawful if “a) the interested party gave
your consent to the processing of your personal data for one or more purposes
specific ”.


        It is clear that the respondent published an announcement on a contact web portal,
sexually, containing the claimant's phone number, associated with an image
and to some non-consensual appointments, treatment of the claimant's data that I carry out without
standing for it.


        Thus, it is estimated that the facts that are submitted to the assessment of this
Agency are constitutive of an infringement of art. 6.1.



                                                IV

        In order to determine the administrative fine to be imposed, the
provisions of articles 83.1 and 83.2 of the RGPD, provisions that state:

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/9









           "Each control authority will guarantee that the imposition of fines
administrative regulations pursuant to this article for the infractions of this

Regulations indicated in paragraphs 4, 9 and 6 are in each individual case
effective, proportionate and dissuasive. "

       "Administrative fines will be imposed, depending on the circumstances of
each individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine

administrative and its amount in each individual case will be duly taken into account:
a) the nature, severity and duration of the offense, taking into account the
nature, scope or purpose of the processing operation in question as well
such as the number of interested parties affected and the level of damages that
have suffered;

b) intentionality or negligence in the infringement;
c) any measure taken by the controller or processor to
mitigate the damages and losses suffered by the interested parties;
d) the degree of responsibility of the person in charge or the person in charge of the treatment,
taking into account the technical or organizational measures that have been applied by virtue of
of articles 25 and 32;

e) any previous infringement committed by the person in charge or the person in charge of the treatment;
 f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;
g) the categories of personal data affected by the infringement;
h) the way in which the supervisory authority learned of the infringement, in

in particular if the person in charge or the person in charge notified the infringement and, if so, in what
measure;
i) when the measures indicated in article 58, paragraph 2, have been ordered
previously against the person in charge or the person in charge in relation to the
same issue, compliance with said measures;

j) adherence to codes of conduct under Article 40 or to mechanisms of
certification approved in accordance with Article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, direct or
indirectly, through the offense. "


      Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76,
"Sanctions and corrective measures", provides:
      "2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
The following may also be taken into account:
  a) The continuing nature of the offense.

  b) The linking of the activity of the offender with the performance of treatment of
personal information.
  c) The benefits obtained as a result of the commission of the offense.
  d) The possibility that the affected person's conduct could have led to the
commission of the offense.

  e) The existence of a merger by absorption process after the commission of the
infringement, which cannot be attributed to the absorbing entity.
  f) Affecting the rights of minors.
  g) Have, when not mandatory, a data protection officer.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/9








  h) The submission by the person in charge or in charge, on a voluntary basis, to
alternative dispute resolution mechanisms, in those cases in which
there are controversies between those and any interested party. "


      In accordance with the provisions transcribed for the purpose of setting the amount of the
sanction of a fine to be imposed on the claimed party, as responsible for an infraction
typified in article 83.5.a) of the RGPD, the following are considered concurrent
factors:


- The nature, severity and duration of the offense, taking into account the
nature, scope or purpose of the processing operation in question as well
such as the number of interested parties affected and the level of damages that have
suffered (art. 83.2 a).


- The intentionality in the commission of the offense (art. 83.2 b).

       Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of the sanctions whose existence has been accredited, the Director of the
Spanish Agency for Data Protection RESOLVES:


FIRST: IMPOSE Ms. B.B.B., with NIF *** NIF.1, for a violation of Article
6.1 of the RGPD, typified in Article 83.5 of the RGPD, a fine of 2,000 euros (two
a thousand euros).

SECOND: NOTIFY this resolution to Ms. B.B.B., with NIF *** NIF.1.


THIRD: Warn the sanctioned person that the sanction imposed by a
Once this resolution is enforceable, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved

by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number
procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency
Spanish Data Protection in the banking entity CAIXABANK, S.A .. In case

Otherwise, it will be collected in the executive period.

        Once the notification has been received and once it is executed, if the date of execution is
finds between the 1st and the 15th of each month, both inclusive, the deadline to carry out the
Voluntary payment will be until the 20th of the following or immediately subsequent business month, and if
is between the 16th and last days of each month, both inclusive, the term of the

payment will be up to the 5th of the second following or immediate business month.

        In accordance with the provisions of article 50 of the LOPDGDD, the
This Resolution will be made public once it has been notified to the interested parties.


        Against this resolution, which ends the administrative procedure in accordance with art.
48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the
LPACAP, the interested parties may file, optionally, an appeal for reversal

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/9








before the Director of the Spanish Agency for Data Protection within a period of
month from the day following notification of this resolution or directly

contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within two months from the
day following notification of this act, as provided in article 46.1 of the

referred Law.

       Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the
LPACAP, the firm resolution may be suspended in an administrative way
If the interested party expresses his intention to file a contentious appeal-

administrative. If this is the case, the interested party must formally communicate this
made by writing to the Spanish Data Protection Agency,
Presenting it through the Electronic Registry of the Agency
[https://sedeagpd.gob.es/sede-electronica-web/], or through any of the rest
records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. Too

must forward to the Agency the documentation that proves the effective filing
of the contentious-administrative appeal. If the Agency is not aware of the
filing of the contentious-administrative appeal within a period of two months from the
day after the notification of this resolution, I would terminate the
precautionary suspension.


Mar Spain Martí
Director of the Spanish Agency for Data Protection































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es