AEPD (Spain) - PS/00312/2023
From GDPRhub
| AEPD - PS/00312/2023 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 4(1) GDPR Article 4(2) GDPR Article 5(1)(c) GDPR Article 83(2)(a) GDPR Article 83(2)(b) GDPR Article 83(2)(g) GDPR Article 85 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 22.06.2023 |
| Decided: | |
| Published: | 22.08.2023 |
| Fine: | 30,000 EUR |
| Parties: | Atresmedia Corporación de Medios de Comunicación, S.A |
| National Case Number/Name: | PS/00312/2023 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | João Pedro Teixeira |
The Spanish DPA fined a Spanish telecom group (Atresmedia Corporación de Medios de Comunicación, S.A) in €30,000 for failing to disguise the voice of a rape victim before publishing an audio recording of her testimony at trial, which was considered as data minimization principle violation
English Summary
Facts
The data subject was the victim in a rape case that had garnered public attention. She complained to the Spanish DPA (Agencia Española de Protección de Datos - AEPD) that the controller, Atresmedia Corporación de Medios de Comunicación, S.A., had published an unaltered audio recording of her speaking in court.
An investigation by the DPA confirmed multiple instances where the audio recording was not distorted before publication, and the DPA sent the controller an urgent request to either take down the recordings or alter them so as to render the data subject's voice unrecognizable. The controller complied, removing or distorting instances of the recording both published and archived.
Holding
The DPA first confirmed that publishing a voice recording is processing of personal data. A voice is a personal attribute unique to each person and thus falls under the definition of personal data in Article 4(1)GDPR. Furthermore, a voice can reveal identifiers like age, sex, state of health, culture, and emotional state. This combined with the fact that Article 4(2) GDPR includes "transmission" and "dissemination" in the definition of processing means that publishing a recording of a person's voice is processing of personal data.
The DPA then considered the balance of fundamental rights at stake, noting that Article 85 GDPR mandates the reconciliation of the right to freedom of information with the right to privacy. The DPA held that the identifying characteristics of the victim were unrelated to the public's news interest in criminal proceedings. Thus, the principle of data minimisation (Article 5(1)(c) GDPR) required the controller to implement measures to avoid voice recognition, like distorting the recording or reading a transcript.
For violating Article 5(1)(c) GDPR, the DPA fined the controller €50,000. In its assessment of the fine, the DPA noted three aggravating factors per Article 83(2) GDPR: (1) the seriousness of revealing sensitive data of a person who has already been the victim of a violent crime against sexual integrity, (2) the negligence displayed in failing to implement appropriate safeguards for news subjects, and (3) the disclosure of a special category of data. The fine was ultimately reduced by 40% because the controller acknowledged responsibility and paid before resolution of the sanctioning procedure.
Comment
This case is similar to cases PS/00191/2022 (https://gdprhub.eu/index.php?title=AEPD_(Spain)_-_PS/00191/2022) and PS / 00192/2022 (https://gdprhub.eu/index.php?title=AEPD_(Spain)_-_PS-00192-2022), also judged by the AEPD, since several telecommunications companies published the voice of the complainant without the proper adoption of measures to prevent her identity from being linked to the content.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/19
File No.: PS/00312/2023
RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE
VOLUNTEER
From the procedure instructed by the Spanish Data Protection Agency and based
to the following
BACKGROUND
FIRST: On June 22, 2023, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against ATRESMEDIA
COMMUNICATION MEDIA CORPORATION, S.A. (hereinafter, the part
claimed), through the Agreement transcribed:
<<
File No.: PS/00312/2023
AGREEMENT TO START SANCTIONING PROCEDURE
Of the actions carried out by the Spanish Data Protection Agency and in
based on the following
BACKGROUND
FIRST: Don A.A.A. (hereinafter, the complaining party), dated April 8,
2021, filed a claim with the Spanish Data Protection Agency. The
claim was directed, among others, against ATRESMEDIA CORPORACIÓN DE
MEDIOS DE COMUNICACIÓN, S.A., with NIF A78839271 (hereinafter, the part
claimed or ATRESMEDIA). The reasons on which the claim was based are:
following:
The complaining party reported that several media outlets had
published on their websites the audio of the statement before the judge of a victim of
a multiple rape, to illustrate the news regarding the holding of the trial in a
case that was very media. The complaining party provided links to the news
published on the websites of the claimed media.
On May 10, 2021, a new letter was received from the party
claimant stating that he had been able to verify that there were means that had
eliminated that information, although it accompanied publications made by some
media outlets on Twitter where it was still available.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/19
SECOND: On May 12, 2021, in accordance with article 65 of the
LOPDGDD, the claim presented by the complaining party was admitted for processing.
THIRD: The General Subdirectorate of Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
issue, by virtue of the investigative powers granted to the authorities of
control in article 58.1 of Regulation (EU) 2016/679 (General Regulation of
Data Protection, hereinafter RGPD), and in accordance with the provisions of the
Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the
following extremes:
During the research activities, publications were found where
he could hear the victim's voice without distortion. For all those responsible for the
treatment was issued, on May 13, 2021, a precautionary measure to withdraw
urgent content or distorted the voice of the intervener so that
would be unidentifiable in the web addresses from which this was accessible.
content.
These extremes could be verified in relation to the claimed part:
- ATRESMEDIA CORPORACIÓN DE MEDIOS DE COMUNICACIÓN, S.A.
***URL.1
***URL.2
***URL.3
On May 17, 2021, this Agency received a letter sent by this Agency.
entity informing that for the first two cases the content has been eliminated
and for the last one, the voice had been distorted; verifying what was stated.
FOURTH: After the processing of procedure PS/00190/2022 instructed to
ATRESMEDIA, on December 29, 2022, said media outlet was notified
communication the resolution issued on December 27, 2022 by the Director of the
Spanish Data Protection Agency, by which:
“IMPOSE ATRESMEDIA MEDIA CORPORATION,
S.A., with NIF A78839271, for a violation of Article 5.1.c) of the RGPD, typified
in Article 83.5 a) of the RGPD, a fine of 50,000 euros (fifty thousand euros).”
“Confirm the following provisional measures imposed on ATRESMEDIA
MEDIA CORPORATION, S.A.:
- Removal or distortion of the victim's voice from their web addresses, avoiding, in the
To the extent that the state of technology permits, the re-uploading or re-uploading of copies
or exact replicas by the same or other users.
- Withdrawal or modification of the contents in such a way that makes access impossible and
disposal of the original by third parties, but guarantee its conservation, for the purposes of
guard evidence that may be necessary in the course of the investigation
police or administrative or judicial process that may be instituted.”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/19
FIFTH: Received a letter from ATRESMEDIA on March 23, 2023,
warned that a computer error had occurred at the time of notification,
that had affected the text of the resolution made available to said media
communication on December 29, 2022. The resolution received by ATRESMEDIA
It only had the first 17 pages of a text with a total of 53
pages. Although the text of the resolution signed by the Director of the AEPD was
totally correct, said error had affected the text notified to the media
communication, which was incomplete.
Consequently, despite the fact that the resolution issued by the Director of the AEPD on
December 27, 2022 was a valid act, it could not be effective, given that the
notification made on December 29, 2022 had been incomplete and had
after the 9-month period provided for in article 64 of the LOPGDD has concluded.
On May 10, 2023, the Director of the AEPD issued a resolution for the
that it was agreed to revoke the resolution of procedure PS/00190/2022 and declare the
expiration thereof.
The aforementioned resolution was notified to ATRESMEDIA on May 11, 2023 and is
firm through administrative means, as a period of one month has elapsed without the
mentioned media outlet has filed an optional appeal
replacement.
SEVENTH: On the date on which this initiation agreement is issued, the
limitation period contemplated in article 72 of the LOPDGDD.
FUNDAMENTALS OF LAW
Yo
Competence
By virtue of the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter GDPR) recognizes each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.
Likewise, article 63.2 of the LOPDGDD determines that: “The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures.”
II
Voice as personal data
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/19
A person's voice, according to article 4.1 of the GDPR, is personal data when
make it identifiable, and its protection, therefore, is the object of said RGPD:
“Personal data”: any information about an identified natural person or
identifiable ("the interested party"); An identifiable natural person shall be considered any person
whose identity can be determined, directly or indirectly, in particular by means of
an identifier, such as a name, an identification number, data of
location, an online identifier or one or more elements of identity
physical, physiological, genetic, mental, economic, cultural or social of said person;”
The voice is a personal and individual attribute of each physical person that is defined
for its height, intensity and timbre. Endowed with unique and singular distinctive features that
individualize it directly, associating it with a specific individual, it is molded
when speaking, being able to know, through it, the age, sex, state of health of the
individual, his way of being, his culture, his origin, his hormonal, emotional and
psychic. Elements of the expression, the idiolect or the intonation, are also data of
personal character considered together with the voice.
For this reason, report 139/2017 of the Legal Office of this Agency states that “the
image just as a person's voice is personal data, just as it will be
any information that allows you to determine, directly or indirectly, your identity
(…)”
In fact, the Judgment of the National Court dated March 19, 2014 (rec.
176/2012) says that “a person's voice constitutes personal data, as
As can be deduced from the definition offered by article 3.a) of the LOPD,
as
<<any information concerning identified natural persons or
identifiable>>, a question that is not controversial.”
Article 4.2 of the GDPR defines “processing” as: “any operation or set
of operations carried out on personal data or sets of personal data,
whether by automated procedures or not, such as collection, registration,
organization, structuring, conservation, adaptation or modification, extraction,
consultation, use, communication by transmission, dissemination or any other form of
enabling access, collation or interconnection, limitation, deletion or destruction.”
The inclusion of a person's voice in journalistic publications, which identifies or
makes a person identifiable, involves processing personal data and, therefore
Therefore, the person responsible for the treatment that carries out the same is obliged to comply with
the obligations for the data controller set forth in the RGPD and in
the LOPDGDD.
II
Right to data protection
This procedure begins because the claimed party published, on the websites
website referred to in the facts, the audio of the statement before the judge of a victim of
a multiple rape, to illustrate the news regarding the holding of the trial in a
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/19
case that was very media. The victim's voice could be seen clearly
recount in all crude details the multiple rape suffered. All of this constitutes
processing of personal data of the victim.
People have the power of disposal over their personal data, including
his voice, as well as its diffusion, resulting, without a doubt, deserving of
protection of the person whose personal data is disclosed in violation of the law
legal.
Thus, STC 292/2000, of November 30, provides that "the content of the right
Fundamental to data protection consists of a power of disposal and control
on personal data that empowers the person to decide which of those data
provide to a third party, be it the State or an individual, or which can this third party
collect, and which also allows the individual to know who owns that personal data
and for what, being able to oppose that possession or use. These powers of disposition and
control over personal data, which constitute part of the content of the right
fundamental to data protection are legally specified in the power of
consent to the collection, obtaining and access to personal data, its subsequent
storage and treatment, as well as its use or possible uses, by a third party, whether the
State or an individual. And that right to consent to knowledge and treatment,
computer or not, of personal data, requires as complements
essential, on the one hand, the ability to know at all times who has access to
those personal data and what use they are subjecting them to, and, on the other hand, the power
oppose that possession and uses.”
In this sense, and regardless of the legal basis that legitimizes the
treatment, all data controllers must respect the principles of
treatment included in article 5 of the RGPD. We will highlight article 5.1.c) of the
GDPR which states that:
"1. Personal data will be
c) adequate, relevant and limited to what is necessary in relation to the purposes for which
that are processed (“data minimization”);”
However, we are faced with a fundamental right that is not absolute,
since, if necessary, the Fundamental Right to Data Protection can
give in to the prevalence of other rights and freedoms also constitutionally
recognized and protected, such as, for example, the Fundamental Right to Freedom of
Information, weighing it case by case.
However, in the present case, as we will explain, it must be considered that the
treatment carried out by the claimed party within the framework of freedom of
information has been excessive, as there is no prevailing public information interest in
the dissemination of the voice of the victim - without providing any added value to the information
maintaining the victim's real voice (without distorting, for example) -, under which pretext
It seems that those data have been disclosed; voice that, added to the fact that it is
a very high-profile case, makes the victim clearly identifiable. When weighing the
competing interests and, taking into account the concurrent circumstances of this case,
that is, the particularly sensitive nature of personal data and the intense
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/19
affecting the privacy of the victim, the interest of the owner deserves greater protection
of the right to the protection of your personal data and that it not be disseminated to the public.
alleged public interest in its dissemination.
IV.
Right to information
In the struggle between the Fundamental Rights to Freedom of Information in
relationship with the Fundamental Right to the Protection of Personal Data, even
when the equal degree of protection of both constitutional rights is recognized,
Ordinarily the first is given precedence by our courts, after
evaluate and weigh all the elements at play.
Now, preponderance does not mean prevalence when, taking into account all the
concurrent circumstances in a specific case, the limits set are exceeded
normatively and jurisprudentially.
In this sense, the Article 29 Working Group in its Opinion 06/2014 on the
concept of legitimate interest of the data controller under the
Article 7 of Directive 95/46/EC, when examining the legal basis of the legitimate interest of the
article 7.1.f) of Directive 95/46/EC, fully transferable to the current art. 6.1.f) of the
GDPR, includes the right to freedom of expression or information as one of the
cases in which the question of legitimate interest may arise, asserting that “without
without prejudice to whether the interests of the data controller will ultimately prevail.
term on the interests and rights of the interested parties when the
weighing test.”
V
Limits to the Fundamental Right to Freedom of Information.
That said, the Fundamental Right to Freedom of Information is also not
absolute. We can observe very clear limits established by the courts in the
civil sphere, in relation to the Right to Honor, Personal and Family Privacy and
the Image itself.
Thus, we will cite, for all, STC 27/2020, of February 24, 2020 (recourse of
amparo 1369-2017) that provides, in relation to the image of a person, and
starting from the uncontroversial fact that makes it identifiable, that “…the question
debated is reduced to pondering whether the non-consensual reproduction of the image of a
anonymous person, that is, someone who is not a public figure, but who acquires
suddenly and involuntarily a role in the newsworthy event, in this case as
victim of his brother's failed murder attempt and subsequent suicide
of this, represented an illegitimate interference in their fundamental right to their own
image (art. 18.1 CE).
[…]
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/19
…that criminal events are newsworthy events, even with
independence of the private subject nature of the person affected by the news. Without
However, the limit is in the individualization, direct or indirect, of the victim, since
This data is not of public interest because it is not relevant to the information
that is allowed to be transmitted (SSTC 20/1992, of February 20; 219/1992, of
December; 232/1993, of July 12; 52/2002, of February 25; 121/2002, of 20
May, and 127/2003, of June 30). Thus, it is currently recognized by Law 4/2015, of 27
of April, of the crime victim statute, in force since October 28, 2015,
when he warns of the need "from the public powers [to offer] a
response as broad as possible, not only legal but also social, to the victims,
not only reparation of damage in the framework of a criminal process, but also
minimizing other traumatic effects on the moral that his condition can
generate, all this regardless of their procedural situation. Therefore, the present
Statute, in line with European regulations on the matter and with the demands that
raises our society, claims, based on the recognition of the dignity of
victims, the defense of their material and moral assets and, with it, those of the group of
the society". In cases such as those raised in this appeal, this Court must
give relevance to the prevalence of the right to the image of the victim of the crime
against information freedoms, since graphic information became idle or
superfluous because the photograph of the victim lacks real interest for the transmission of
the information, in this case the apparent accomplishment of a homicide and subsequent
suicide” (emphasis added).
We will add the STS, from its First Civil Chamber, 272/2011 of April 11, 2011
(rec. 1747/2008), in which, regarding the data necessary to provide a
information and limits to the public interest states that "b) Trivial information is not
protects (ATC 75/2006), but the fact of providing unnecessary data in a case of
rape (full name, last name initials, street portal where
the victim lived) that have no community relevance, do not respect the reservation, only
seek to satisfy curiosity, produce disturbances or annoyances and reveal
unnecessarily forms aspects of personal and private life, allowing neighbors,
close persons and family members the full identification of the victim and the knowledge
with great detail of an act that seriously violates his dignity (STC
185/2002) or about a disease that is of no public interest and directly affects
direct to the irreducible scope of intimacy and that is revealed to the effect of a pure
joke or joke (STC 232/1993);”.
Likewise, the STS, of its First Civil Chamber, Sentence 661/2016 of 10
November 2016 (rec. 3318/2014), in relation to the collection and disclosure in court
of the image of a victim of gender violence established that “1.) The
interest of the questioned information nor the right of the defendant television network
to broadcast images recorded during the oral trial of the criminal case, since they do not
There is no limitation in this regard agreed upon by the judicial body.
2.) The only controversial point is, therefore, whether the identification of the plaintiff
as a victim of the crimes prosecuted in said criminal case, through first
shots of his face and the mention of his first name and place of residence, was
also included in the fundamental right of the television channel
demanded to transmit truthful information or, on the contrary, was limited by the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/19
fundamental rights of the plaintiff to her personal privacy and her own
image.
3.) Regarding this issue, jurisprudence has recognized the general interest and the
public relevance of information on criminal cases (sentence 547/2011, of 20
July), which are accentuated in cases of physical and psychological abuse (sentences
128/2011, of March 1, and 547/2011, of July 20), but has also pointed out,
regarding the identification of the people involved in the trial, that the
accused and the victim are not on an equal footing, since in terms of
That one does allow a complete identification, and not only by his initials, due to the
nature and social significance of the crimes of mistreatment (sentence 547/2011,
of July 20).
[…]
6.) In short, the defendant television network should have acted with the prudence of the
diligent professional and avoid broadcasting images that represented the
recurring in the foreground, either by refraining from broadcasting the corresponding shots,
either using technical procedures to blur their features and prevent their
recognition (ruling 311/2013, of May 8). Similarly, it should also
avoid mentioning his first name, because this information, insufficient on its own to
constitute illegitimate interference, became relevant when pronounced on screen
simultaneously with the image of the plaintiff and add the mention of her
location of residence, data all of which are unnecessary for the essence of the content
of information, as demonstrated by the news about the same trial published at the
next day in other media. 7.) The identification of the plaintiff through her
image and personal data indicated and its direct link to an episode of
gender violence and other serious crimes, when disclosure was foreseeable
Simultaneous or subsequent data referring to how the victim and her aggressor met
and the way in which the criminal acts occurred, supposes that the loss of the
anonymity would violate both the plaintiff's right to her own image, by the
emission of their physical features, such as their personal and family intimacy, to the extent that
that some reserved data, belonging to his private life (who went to the Internet
to start a relationship or the intimate content of some of their talks), lacking
offensive entity in a situation of anonymity, they began to have it from the moment
in which any person who watched those news programs and who resided in the
location of the victim could know who they were referring to, so that the damage
psychological damage inherent to his condition as a victim of crimes was added to the moral damage
consisting of the disclosure of information about his private life that he had not consented to
make public.” (underlining is ours).
As we can see, a clear reference is made to the excessive treatment of
personal data (some of which are not of an intimate nature) to provide the
information, considering them unnecessary at all points in attention to the
concurrent circumstances. Sometimes the courts refer to intimate data,
but sometimes it is personal data that is not intimate, such as, for
For example, the image of a natural person obtained from a photograph published in a
social network or name and surname.
SAW
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/19
Balance between the Fundamental Right to Freedom of Information and the Right
Fundamental to the Protection of Personal Data.
In the specific case examined, as we have indicated, the claimed party
published, on the websites referred to in the facts, the audio of the statement before the
judge of a victim of multiple rape, to illustrate the news of a very
media.
Thus, it is not a question, as in other cases examined by jurisprudence, of endowing
of prevalence to a fundamental right over another, having to choose which one has more
weight in a specific case. If not, rather, to find a balance between
both to achieve the achievement of the purpose of the first without undermining the second.
The reconciliation of both rights is nothing new, since the legislator
European Union mandates such reconciliation in article 85 of the GDPR.
As we have seen previously, the Fundamental Right to Freedom of
Information is not unlimited, since the jurisprudential interpretation when confronted
with other rights and freedoms does not allow the same in any case and to the full extent,
but, nevertheless, the prevalence that the courts usually give it can be seen
limited by other fundamental rights that must also be respected. Thus
observes its limitation when the personal data provided was unnecessary for the
essence of the information content.
We must consider the special circumstances present in the case
examined. This is a very young woman who has suffered multiple rape. In
In the published recording, you can hear her recounting, with great emotional charge, the
sexual assault suffered in all crudeness, narrating (...).
Furthermore, we cannot lose sight of the victim status of the woman whose voice, with
all the nuances exposed, has been spread.
Let us remember, for purely illustrative purposes, that Law 4/2015, of April 27,
of the Statute of the victim of crime provides for a special need for protection of
victims of crimes against sexual freedom or sexual indemnity, as well as
victims of violent crimes, both circumstances that occur in the alleged
examined.
In this case, the situation of the victim must be considered (who is not in the
same level of equality as the accused) and what it means to spread their voice with
all its nuances, as well as the special protection that the
legal system that, without restricting the supply of information, must be made
compatible with the principle of data minimization, applicable to the form, the
medium in which the information is supplied and disseminated due to the immediate impact on the data
personal and identification of the victim.
Precisely because the evident public information interest in the news is not denied,
given the general interest in criminal cases, in this specific case, it is not about
undermine the Fundamental Right to Freedom of Information due to the prevalence
of the Fundamental Right to the Protection of Personal Data, but of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/19
make them fully compatible so that both are absolutely
guaranteed. That is, the media's freedom of information is not called into question.
of communication but the weighing with the right to data protection based
to the proportionality and need to publish the specific personal data of the voice. Such
situation could have been resolved with the use of technical procedures to
prevent voice recognition, such as, for example, distorting the voice of
the victim or the transcript of the story of the multiple rape, security measures
both, applied depending on the case in an ordinary way by the means of
communication.
At the most we must mean that the victim is an anonymous person and our
Constitutional Court, by all STC 58/2018 of June 4, affirms that the
public authorities, public officials and public figures or persons dedicated to
activities that entail public notoriety “voluntarily accept the risk of
that their subjective personality rights are affected by criticism, opinions
or adverse disclosures and, therefore, the right to information reaches, in relation to
with them, their maximum level of legitimizing effectiveness, insofar as their life and conduct
morals participate in the general interest with a greater intensity than that of those
private people who, without a vocation for public projection, see themselves
circumstantially involved in matters of public importance, to which
It is necessary, therefore, to recognize a higher level of privacy, which prevents
grant general significance to facts or conduct that would have it if they were referred to
to public figures".
The STJUE (Second Chamber) of February 14, 2019, in case C 345/17, Sergejs
Buivids mentions various criteria to weigh between the right to respect for
privacy and the right to freedom of expression, among which are “the
contribution to a debate of general interest, the notoriety of the affected person, the
object of the report, the previous behavior of the interested party, the content, form and
the repercussions of the publication, the manner and circumstances in which it was obtained
information and its veracity (see, in this sense, the ruling of the ECtHR of 27
June 2017, Satakunnan Markkinapörssi Oy and Satamedia Oy v. Finland,
CE:ECHR:2017:0627JUD000093113, paragraph 165).
In such a way that for a matter to be considered of general interest,
public relevance, they will be not only for the person who intervenes, but also for the
matter to which it refers. Both requirements must concur, resulting, at greater
abundance of what was meant in the previous section, that in the case examined
the victim is not a public person; rather the contrary, it is of great interest that
is recognized by third parties, so it may entail a new penalty
to the one already suffered. The victim is an anonymous person and must remain so, in such a way that
so that their fundamental rights are fully guaranteed.
In the present case, (i) we are not dealing with a person of public relevance, in the
sense that such relevance is sufficient to understand that it supposes, ex lege, a
dispossession of your fundamental right to the protection of your personal data, and (ii)
Although we are dealing with facts “of public relevance”, in the sense that they are revealed
as “necessary” for the presentation of ideas or opinions of public interest, that
need does not reach the provision of data that identifies the victim.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/19
For this reason, and as the Supreme Court expresses in its ruling (civil) 697/2019, of 19
December 2019, the formation of a free public opinion does not require, nor justify,
that the fundamental right to one's own image is affected [in this case the protection
of personal data] with that gravity and in a way that does not maintain the necessary
connection with the identification of the person subject to the information.
It is worth mentioning the non-compliance with point 1 of the Digital Pact for the
protection of people, signed by the entities involved, which establishes that
"The signatories of the Charter will refrain from identifying the victims in any way.
of attacks, violent acts or sexual content in their information or
publish information from which, in general, your identity can be inferred
when dealing with people of no public relevance. All this without prejudice to the fact that the
Non-public persons may be involved in newsworthy events, in which case
The information coverage will be necessary to adequately comply with the right.
to the information, taking into account the peculiarities of each case".
VII
Every person responsible for the treatment has obligations regarding
data protection, in the terms prescribed in the RGPD and the LOPDGDD,
being able to highlight, in terms of what interests us, proactive responsibility,
article 5.2 of the GDPR, the assessment of risks and the implementation of measures
of adequate security. Obligations that are even more relevant when, as in
The case we are examining is especially sensitive.
Such obligations do not wane because we are facing a person responsible for the treatment.
let it be a means of communication.
If we combine the diffusion of the victim's voice (with all its nuances), which makes it
identifiable and can be recognized by third parties, with the factual account that is made
in relation to the violation suffered, there is a very high and very likely risk that
may suffer damage to their rights and freedoms. This has happened in other cases
of dissemination of personal data of victims of rape crimes. And this, in addition to
that with the diffusion of the voice of the victim she is being sentenced again to
can be recognized by third parties, when it is not a proportional treatment or
necessary in relation to the information purposes pursued.
It is tremendously significant that, in the case examined, the part
The defendant has immediately withdrawn the recording of the hearing in which the
voice of the victim at the request of the AEPD in two cases and has distorted the voice
of the victim in the third party, notwithstanding which the information continues to be
available and continues to be supplied with all its breadth. This shows that
to provide this specific information it was not necessary, under the terms of art.
5.1.c) of the GDPR to disseminate the voice of the victim.
VIII
Processing of excessive data
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/19
In accordance with the evidence available at the present time of
agreement to start the disciplinary procedure, and without prejudice to what results from the
instruction, it is considered that the claimed party has processed data that was excessive
as they are not necessary for the purpose for which they were processed.
The known facts could constitute an infringement, attributable to the party
claimed, of article 5.1.c) of the GDPR, with the scope expressed in the
Previous legal grounds, which, if confirmed, could mean the
commission of the offense typified in article 83.5, section a) of the GDPR, which under
the heading "General conditions for the imposition of administrative fines"
provides that:
Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of maximum EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for the
of greater amount:
a) the basic principles for the treatment, including the conditions for the
consent under articles 5, 6, 7 and 9;
In this regard, the LOPDGDD, in its article 71 establishes that "They constitute
offenses the acts and behaviors referred to in sections 4, 5 and 6 of the
Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the
present organic law.”
For the purposes of the limitation period, article 72 of the LOPDGDD indicates:
Article 72. Infractions considered very serious.
"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that involve
a substantial violation of the articles mentioned therein and, in particular, the
following:
a) The processing of personal data violating the principles and guarantees
established in article 5 of Regulation (EU) 2016/679.
IX
Classification of the offense
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/19
In order to determine the administrative fine to impose, the following must be observed:
provisions of articles 83.1 and 83.2 of the RGPD, provisions that indicate:
“Each control authority will guarantee that the imposition of administrative fines
under this Article for infringements of this Regulation
indicated in sections 4, 5 and 6 are effective in each individual case,
proportionate and dissuasive.”
“Administrative fines will be imposed, depending on the circumstances of each
individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:
a) the nature, severity and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation in question
such as the number of interested parties affected and the level of damages that
have suffered;
b) intentionality or negligence in the infringement;
c) any measure taken by the person responsible or in charge of the treatment to
alleviate the damages and losses suffered by the interested parties;
d) the degree of responsibility of the person responsible or in charge of the treatment,
taking into account the technical or organizational measures that have been applied under
of articles 25 and 32;
e) any previous infringement committed by the controller or processor;
f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;
g) the categories of personal data affected by the infringement;
h) the way in which the supervisory authority became aware of the infringement, in
particular whether the controller or processor notified the infringement and, if so, in what
extent;
i) when the measures indicated in Article 58, paragraph 2, have been ordered
previously against the person responsible or the person in charge in question in relation to the
same matter, compliance with said measures;
j) adherence to codes of conduct under article 40 or to mechanisms of
certification approved in accordance with article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, directly or
indirectly, through infringement.”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/19
Regarding section k) of article 83.2 of the GDPR, the LOPDGDD, article 76,
“Sanctions and corrective measures” provides:
"2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
may also be taken into account:
a) The continuous nature of the infringement.
b) The linking of the offender's activity with the performance of medical treatments.
personal information.
c) The benefits obtained as a consequence of the commission of the infraction.
d) The possibility that the conduct of the affected person could have induced the commission
of the offence.
e) The existence of a merger by absorption process subsequent to the commission of the
infringement, which cannot be attributed to the absorbing entity.
f) The impact on the rights of minors.
g) Have, when it is not mandatory, a data protection delegate.
h) The submission by the person responsible or in charge, on a voluntary basis, to
alternative conflict resolution mechanisms, in those cases in which
there are controversies between those and any interested party.”
In an initial assessment, the graduation criteria are considered concurrent
following:
Aggravating factors:
- Article 83.2.a) of the RGPD:
Nature, seriousness and duration of the infringement: It is considered that the nature of the
infraction is very serious since it entails a loss of disposition and control over
the personal data of your voice to a person who has been the victim of a violent crime and
against sexual integrity and that by disseminating said personal data there was a certain risk
that it could be recognized by third parties, with the serious damages that this
would cause him.
- Article 83.2.b) of the RGPD.
Intentional or negligent infringement: Although the Agency considers that it is not
there was intentionality on the part of the communication medium, the Agency concludes that
was negligent in not ensuring a procedure that guaranteed the protection of the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/19
personal data in such sensitive circumstances, especially when in many
Sometimes the voice in the news is distorted so that it is not recognized
to the person speaking.
- Article 83.2.g) of the RGPD.
Categories of personal data affected by the infringement: The certain possibility of
recognize the victim of a crime like the one reported in the news, very serious, violent
and against sexual integrity (multiple rape), represents serious damage to the
affected, since what happened is linked to his sexual life.
The amount of the fine that would correspond, without prejudice to what results from the
instruction of the procedure, is €50,000 (fifty thousand euros).
Therefore, in accordance with the above, by the Director of the Agency
Spanish Data Protection,
HE REMEMBERS:
FIRST: START SANCTIONING PROCEDURE against ATRESMEDIA
CORPORACIÓN DE MEDIOS DE COMUNICACIÓN, S.A, with NIF A78839271, for the
alleged violation of Article 5.1.c) of the RGPD, typified in Article 83.5 a) of the
GDPR.
SECOND: Confirm the following provisional measures imposed on
ATRESMEDIA CORPORACIÓN DE MEDIOS DE COMUNICACIÓN, S.A:
- Removal or distortion of the victim's voice from their web addresses, avoiding, in the
To the extent that the state of technology permits, the re-uploading or re-uploading of copies
or exact replicas by the same or other users.
- Withdrawal or modification of the contents in such a way that makes access impossible and
disposal of the original by third parties, but guarantee its conservation, for the purposes of
guard evidence that may be necessary in the course of the investigation
police or administrative or judicial process that may be instituted.
THIRD: APPOINT B.B.B. as instructor. and, as secretary, to C.C.C.,
indicating that they may be challenged, if applicable, in accordance with the provisions of the
articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Sector
Public (LRJSP).
FOURTH: INCORPORATE into the sanctioning file, for evidentiary purposes, the
claim filed by the complaining party and its documentation, as well as the
documents obtained and generated by the General Subdirectorate of Inspection of
Data in the actions prior to the start of this sanctioning procedure.
FIFTH: THAT for the purposes provided for in art. 64.2 b) of law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations, the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/19
sanction that could correspond would be, for the alleged violation of article 5.1.c)
of the RGPD, typified in article 83.5 a) of said regulation, administrative fine of
amount €50,000.00 (fifty thousand euros), without prejudice to what results from the
instruction.
SIXTH: NOTIFY this agreement to ATRESMEDIA CORPORACIÓN DE
MEDIOS DE COMUNICACIÓN, S.A, with NIF A78839271, granting it a period of
hearing of ten business days to formulate the allegations and present the
tests that you consider appropriate. In your written statement of allegations you must provide your
NIF and the file number that appears at the head of this document.
If within the stipulated period you do not make allegations to this initial agreement, the same
may be considered a proposal for a resolution, as established in the article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (hereinafter, LPACAP).
In accordance with the provisions of article 85 of the LPACAP, you may recognize your
responsibility within the period granted for the formulation of allegations to the
present initiation agreement; which will entail a 20% reduction in the
sanction that may be imposed in this procedure. With the application of this
reduction, the penalty would be established at €40,000.00 (forty thousand euros),
resolving the procedure with the imposition of this sanction.
Likewise, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which
will mean a 20% reduction in the amount. With the application of this reduction,
The penalty would be established at €40,000.00 (forty thousand euros) and its payment
will imply the termination of the procedure, without prejudice to the imposition of the
corresponding measures.
The reduction for the voluntary payment of the penalty is cumulative with that corresponding
apply for recognition of responsibility, provided that this recognition
of the responsibility becomes evident within the period granted to formulate
allegations at the opening of the procedure. The voluntary payment of the referred amount
in the previous paragraph may be done at any time prior to the resolution. In
In this case, if both reductions were to be applied, the amount of the penalty would remain
established at €30,000.00 (thirty thousand euros).
In any case, the effectiveness of any of the two mentioned reductions will be
conditioned upon the withdrawal or waiver of any action or appeal pending.
administrative against the sanction.
In the event that you choose to proceed with the voluntary payment of any of the amounts
indicated above (€40,000.00, forty thousand euros, or €30,000.00, thirty thousand
euros), you must make it effective by depositing it in the account number IBAN: ES00 0000
0000 0000 0000 0000 open in the name of the Spanish Agency for the Protection of
Data in the banking entity CAIXABANK, S.A., indicating in the concept the number
reference of the procedure that appears in the heading of this document and
the cause of reduction of the amount to which it is accepted.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/19
Likewise, you must send proof of income to the General Subdirectorate of
Inspection to continue the procedure in accordance with the quantity
entered.
The procedure will have a maximum duration of twelve months from the date
of the initiation agreement. After this period, its expiration will occur and, in
consequently, the archive of actions; in accordance with the provisions of the
article 64 of the LOPDGDD.
In compliance with articles 14, 41 and 43 of the LPACAP, it is noted that, as far as
Subsequently, the notifications sent to you will be made exclusively
electronically, through the Unique Enabled Electronic Address (dehu.redsara.es), and
that, if you do not access them, your rejection will be recorded in the file, considering
the procedure has been carried out and the procedure is followed. You are informed that you can
identify to this Agency an email address to receive the notice
of making notifications available and that the lack of practice of this notice does not
will prevent the notification from being considered fully valid.
Finally, it is noted that in accordance with the provisions of article 112.1 of the
LPACAP, there is no administrative appeal against this act.
935-290523
Sea Spain Martí
Director of the Spanish Data Protection Agency
>>
SECOND: On July 5, 2023, the claimed party has proceeded to pay
the penalty in the amount of 30,000 euros making use of the two reductions
provided for in the initiation Agreement transcribed above, which implies the
recognition of responsibility.
THIRD: The payment made, within the period granted to formulate allegations to
The opening of the procedure entails the renunciation of any action or appeal pending.
administrative against sanction and recognition of responsibility in relation to
the facts referred to in the Initiation Agreement.
FUNDAMENTALS OF LAW
Yo
Competence
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/19
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."
II
Termination of the procedure
Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter, LPACAP), under the heading
“Termination in sanctioning procedures” provides the following:
"1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility,
The procedure may be resolved with the imposition of the appropriate sanction.
2. When the sanction is solely pecuniary in nature or a penalty can be imposed
pecuniary sanction and another of a non-pecuniary nature but the
inadmissibility of the second, the voluntary payment by the alleged responsible, in
Any time prior to the resolution, will imply the termination of the procedure,
except in relation to the restoration of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.
3. In both cases, when the sanction has only a pecuniary nature, the
body competent to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed penalty, these being cumulative with each other.
The aforementioned reductions must be determined in the initiation notification.
of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of
any administrative action or appeal against the sanction.
The reduction percentage provided for in this section may be increased
according to regulations."
According to what has been stated,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: DECLARE the termination of procedure PS/00312/2023, of
in accordance with the provisions of article 85 of the LPACAP.
SECOND: NOTIFY this resolution to ATRESMEDIA CORPORACIÓN DE
COMMUNICATION MEDIA, S.A.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Administrative Litigation Chamber of the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/19
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.
936-040822
Mar Spain Marti
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
