AEPD (Spain) - PS/00292/2019
| AEPD - PS/00292/2019 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(a) GDPR Article 6(1)(b) GDPR Article 83(2)(b) GDPR Article 83(2)(g) GDPR Article 83(5)(a) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | n/a |
| Published: | 10. 2.2020 |
| Fine: | None |
| Parties: | Anoymous Vs. Anonymous |
| National Case Number/Name: | PS/00292/2019 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in es) |
| Initial Contributor: | n/a |
The AEPD imposed a 1.000 € fine for a fake ad containing personal data in a website site aimed at offering services for adults, without the consent of the data subject.
English Summary
Facts
A website containing aimed at offering services for adults published the picture, name, telephone number and a sexual related description of a citizen – the complainant - as a contact person for the performance of those services without her consent. Followings the publication of her personal data on the website, the complainant received unsolicited phone calls from people who wanted to have sex with her. The complainant pointed it out that the pictures published had been obtained from her work intranet with an external IP address. Thus, she filed a complaint with the AEPD against the IP address owner which added her personal data on the website. Therefore, she complained that the advertiser who added the ad unlawfully processed her personal data and did not sue the service provider which removed the publication immediately.
Dispute
The AEPD had to pronounce itself on the legal basis of the processing of personal data – consent or performance of a contract – and had to decide which circumstances should be take into account for the administrative fine.
Holding
The AEPD stated that it was clear from the procedure that the advertiser added a fake ad on the web portal, containing the personal data of the complainant without her consent. Thus, it considered that the personal data published on the website were not necessary for the performance of the contract between the advertiser and the website. Therefore, it concluded that the advertiser violated Article 5(1)(a) and 6(1)(b) GDPR. In addition, the AEPD decided to impose a fine of 1.000 € in accordance with Article 83(5)(a) by taking into consideration that the action is intentional (Article 83(2)(b) GDPR), and that the personal data are sensitive (Article 83(2)(g) GDPR).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the **Spanish** original. Please refer to the **Spanish** original for more details.
to be completed
