| AEPD - PS/00353/2022 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(f) GDPR Article 32 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 15.04.2022 |
| Decided: | 28.04.2023 |
| Published: | 28.04.2023 |
| Fine: | 3,000 EUR |
| Parties: | n/a |
| National Case Number/Name: | PS/00353/2022 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | Mgrd |
An association that disclosed personal data of one of its members in a Whatsapp group was fined €3,000 for violating Articles 5(1)(f) and 32 GDPR.
English Summary
Facts
The data subject was a member of the Hunters Association of Alzira, the controller, and sent a letter to its president requesting access to the accounting books. The president then shared this letter in a Whatsapp group formed by 195 associates, together with private conversations with the data subject. The data subject filed a complaint with the Spanish DPA.
Holding
The DPA highlighted that the WhatsApp group in question should limit itself solely to the sharing of information that is necessary for the fulfillment of the ends of the association. Therefore, it held that personal data were unduly disclosed to third parties, violating the principle of integrity and confidentiality.
Similarly, it found that the Association had not implemented sufficient security measures, in view of the potential risks involved in the data processing activity.
For these reasons, the DPA imposed a fine of: a) €2,000 for the violation of Article 5(1)(f) GDPR; b) €1,000 for the violation of Article 32 GDPR.
Comment
It is interesting to note two issues in this decision:
a) data processing, consisting of sharing personal information in a WhatsApp group, was carried out without a legal basis. Therefore, there would be a violation of Article 6(1) GDPR in the first place. However, the DPA did not analyze the lawfulness of the processing and went straight to the analysis of the principles in Article 5, in particular, the principle of confidentiality and integrity.
b) the DPA applied two separate fines, one for violation of Article 5(1)(f) and one for violation of Article 32 GDPR. Apparently, the Spanish DPA has adopted this method of applying separate fines more recently.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
File No.: EXP202205353 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: D.A.A.A. (hereinafter, the claiming party) dated April 15, 2022 filed a claim with the Spanish Data Protection Agency. The claim is directed against ASSOCIACIO DE CAÇADORS D'ALZIRA with NIF G96965223 (hereinafter, the ASSOCIATION). The reasons on which the claim is based are the following: The person in charge of the association of hunters of Alzira makes public in a group of WhatsApp made up of 195 partners, the brief submitted by the claimant requesting the account books from the association, emphasizing that the partner who had requested it is the number XXX known because according to what he indicates in his messages that they lost the elections. In the conversation held in the WhatsApp group, the person responsible for the said association indicates that the events that occurred are intended to attack and threaten the current board of directors, and he himself makes a copy and paste spreading in the group the private conversation, without the authorization of the complaining party. Whereupon, the complaining party in the same WhatsApp group puts in knowledge of all partners that there has been a violation of rights, Therefore, it will proceed to file a claim with the Spanish Protection Agency of data. Together with the notification, screenshots of the conversation held in the WhatsApp group mentioned. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereafter LOPDGDD), said claim was transferred to the ASSOCIATION, for to proceed with its analysis and inform this Agency within a month of the actions carried out to adapt to the requirements established in the regulations of Data Protection. The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of October 1, of the Common Administrative Procedure of the Administrations Public (hereinafter, LPACAP) by electronic notification, which was not collected by the person in charge, within the period of making them available, meaning rejected in accordance with the provisions of art. 43.2 of the LPACAP dated May 22 of 2022, as stated in the certificate that is in the file. Although the notification was validly made by electronic means, assuming that carried out the procedure in accordance with the provisions of article 41.5 of the LPACAP, under informative, a copy was sent by certified postal mail that was returned by “absent”, after two delivery attempts. THIRD: On June 28, 2022, in accordance with article 65 of the LOPDGDD, the claim presented by the claimant party was admitted for processing. FOURTH: On July 15, 2022, the Director of the Spanish Agency for Data Protection agreed to initiate disciplinary proceedings against the claimed party, for the alleged violation of article 5.1.f) of the GDPR and article 32 of the GDPR, typified in article 83.5 and 83.4 of the GDPR. The initiation agreement, which was carried out in accordance with the norms established in the Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations (hereinafter, LPACAP) by means of electronic notification, that it was not collected by the person in charge, within the period of making it available, being understood rejected in accordance with the provisions of art. 43.2 of the LPACAP in dated July 18 of that same year, as stated in the certificate that is in the proceedings. Although the notification was validly made by electronic means, it was reiterated by Certified postal mail that was returned "absent" after two delivery attempts. Finally, and given the impossibility of making the notification, it was done through announcement published in the "Official State Gazette" on October 21, 2022. in accordance with the provisions of art. 44 of the LPACAP. FIFTH: Notified of the aforementioned start-up agreement in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP) and after the period granted for the formulation of allegations, it has been verified that no allegation has been received any by the claimed party. Article 64.2.f) of the LPACAP -provision of which the claimed party was informed in the agreement to open the procedure - establishes that if no arguments within the established term on the content of the initiation agreement, when it contains a precise pronouncement about the imputed responsibility, may be considered a resolution proposal. In the present case, the agreement of beginning of the disciplinary file determined the facts in which the imputation, the infringement of the GDPR attributed to the defendant and the sanction that could impose. Therefore, taking into consideration that the claimed party has not made allegations to the agreement to start the file and in attention to what established in article 64.2.f) of the LPACAP, the aforementioned initiation agreement is considered in the present case resolution proposal. In view of all the proceedings, by the Spanish Agency for Data Protection In this proceeding, the following are considered proven facts: PROVEN FACTS FIRST: It is accredited in the file that the personal data of the party claimant were improperly disseminated to third parties through a conversation from a WhatsApp group created by the ASSOCIATION. SECOND: It is accredited in the file that was disseminated by WhatsApp the conversation with the documentation that member no. XXX of the previous board of directors chaired by Mr. José Antonio Ferrer sent to the ASSOCIATION by the claimant FUNDAMENTALS OF LAW Yo In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with character subsidiary, by the general rules on administrative procedures." II Article 5.1.f) of the GDPR Article 5.1.f) "Principles relating to processing" of the GDPR establishes: "1. Personal data will be: (…) f) processed in such a way as to ensure adequate security of personal data, including protection against unauthorized or unlawful processing and against their accidental loss, destruction or damage, through the application of technical or appropriate organizational procedures (“integrity and confidentiality”).” In the present case, it is clear that the personal data of the complaining party, obtained in the ASSOCIATION's database, were improperly disseminated to third parties through through a conversation in a WhatsApp group, violating the principle of confidentiality; although there is no record of whether or not subsequent use has occurred, for part of third parties, of the personal information of the complaining party. II Classification of the infringement of article 5.1.f) of the GDPR The aforementioned infringement of article 5.1.f) of the GDPR supposes the commission of the infringements typified in article 83.5 of the GDPR that under the heading "General conditions for the imposition of administrative fines” provides: Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, an amount equal to a maximum of 4% of the volume of overall annual total business of the previous financial year, opting for the one with the highest amount: a) the basic principles for processing, including the conditions for consent under Articles 5, 6, 7 and 9; (…)” In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that: "The acts and behaviors referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic law”. For the purposes of the limitation period, article 72 "Infractions considered very serious" of the LOPDGDD indicates: "1. Based on what is established in article 83.5 of Regulation (EU) 2016/679, are considered very serious and will prescribe after three years the infractions that a substantial violation of the articles mentioned therein and, in particular, the following: a) The processing of personal data in violation of the principles and guarantees established in article 5 of Regulation (EU) 2016/679. (…)” IV. Penalty for violation of article 5.1.f) of the GDPR For the purposes of imposing an administrative fine and its amount, it is considered that the infringement in question is serious for the purposes of the GDPR and that it is necessary to graduate the sanction to be imposed in accordance with the criteria established in article 83.2 of the GDPR. Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the criteria established in section 2 of article 76 "Sanctions and corrective measures" of the LOPDGDD. The balance of the circumstances contemplated in article 83.2 of the RGPD and article 76.2 of the LOPDGDD, with respect to the offense committed by violating the provisions of article 5.1.f) of the RGPD, allow a penalty of €2,000 (TWO THOUSAND EURO). V GDPR Article 32 Article 32 "Security of treatment" of the GDPR establishes: "1. Taking into account the state of the art, the costs of application, and the nature, scope, context and purposes of the treatment, as well as probability risks and variable severity for the rights and freedoms of natural persons, the person in charge and the person in charge of the treatment will apply appropriate technical and organizational measures to guarantee a level of security appropriate to the risk, which, where appropriate, includes, among others: a) the pseudonymization and encryption of personal data; b) the capacity to guarantee the permanent confidentiality, integrity, availability and resilience of the processing systems and services; c) the ability to quickly restore availability and access to personal data in the event of a physical or technical incident; d) a process of regular verification, evaluation and assessment of effectiveness of the technical and organizational measures to guarantee the security of the treatment. 2. When evaluating the adequacy of the level of security, particular account will be taken of the risks presented by data processing, in particular as a consequence of the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or processed in another way, or unauthorized communication or access to such data. 3. Adherence to a code of conduct approved under article 40 or to a certification mechanism approved under article 42 may serve as an element for demonstrate compliance with the requirements established in section 1 of this article. 4. The controller and the processor shall take measures to ensure that any person acting under the authority of the controller or processor and having access to personal data may only process such data on instructions of the controller, unless it is required to do so by Union law or by the Member States”. In the present case, at the time of the security breach, there is no record that the ASSOCIATION have reasonable security measures based on the estimated possible risks. It is noteworthy that the WhatsApp group of the ASSOCIATION should be limited only to disseminating the information necessary for the fulfillment of the purposes of the association. Consequently, broadcast the conversation via WhatsApp with the documentation that the partner no. XXX of the previous board chaired by D. B.B.B. sent to the ASSOCIATION by the claimant requesting the association's account book, does not guarantee the confidentiality, integrity and availability of the treatment systems and services. SAW Classification of the infringement of article 32 of the GDPR The aforementioned infringement of article 32 of the RGPD supposes the commission of the infractions typified in article 83.4 of the RGPD that under the rubric "General conditions for the imposition of administrative fines” provides: Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 10,000,000 or, in the case of a company, an amount equal to a maximum of 2% of the volume of overall annual total business of the previous financial year, opting for the one with the highest amount: 5) the obligations of the person in charge and the person in charge according to articles 8, 11, 25 to 39, 42 and 43; (…)” In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that "The acts and conducts referred to in sections 4, 5 and 6 constitute infractions of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the present organic law”. For the purposes of the limitation period, article 73 "Infractions considered serious" of the LOPDGDD indicates: "Based on the provisions of article 83.4 of Regulation (EU) 2016/679, infractions that involve a substantial violation of the articles mentioned therein, and in particular, the following, are considered serious and shall prescribe after two years: … g) The breach, as a consequence of the lack of due diligence, of the technical and organizational measures that have been implemented as required by article 32.1 of Regulation (EU) 2016/679”. VII Penalty for violation of article 32 of the GDPR For the purposes of imposing an administrative fine and its amount, it is considered that the infringement in question is serious for the purposes of the GDPR and that it is necessary to graduate the sanction to be imposed in accordance with the criteria established in article 83.2 of the GDPR. Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the criteria established in section 2 of article 76 "Sanctions and corrective measures" of the LOPDGDD. The balance of the circumstances contemplated in article 83.2 of the GDPR and article 76.2 of the LOPDGDD, with respect to the offense committed by violating the provisions of article 32 of the GDPR, allow a penalty of €1,000 (THOUSAND EUROS). Therefore, in accordance with the applicable legislation and assessed the criteria of graduation of sanctions whose existence has been accredited, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE ASSOCIACIO DE CAÇADORS D'ALZIRA, with NIF G96965223, for a violation of Article 5.1.f) of the GDPR typified in article 83.5 of the GDPR, a fine of €2,000 (TWO THOUSAND EUROS). TO IMPOSE ASSOCIACIO DE CAÇADORS D'ALZIRA, with NIF G96965223, for a violation of Article 32 of the GDPR typified in Article 83.4 of the GDPR, a fine of €1,000 (THOUSAND EUROS). SECOND: NOTIFY this resolution to ASSOCIACIO DE CAÇADORS D'ALZIRA. THIRD: Warn the penalized person that they must make the imposed sanction effective Once this resolution is enforceable, in accordance with the provisions of Article art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter LPACAP), within the payment period voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by means of its income, indicating the NIF of the sanctioned and the number of procedure that appears in the heading of this document, in the account restricted IBAN number: ES00 0000 0000 0000 0000 0000 (BIC/SWIFT Code: XXXXXXXXXXXX), opened on behalf of the Spanish Agency for Data Protection in the banking entity CAIXABANK, S.A. Otherwise, it will proceed to its collection in executive period. Once the notification has been received and once executed, if the execution date is between the 1st and 15th of each month, both inclusive, the term to make the payment voluntary will be until the 20th day of the following or immediately following business month, and if between the 16th and the last day of each month, both inclusive, the payment term It will be until the 5th of the second following or immediately following business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once the interested parties have been notified. Against this resolution, which puts an end to the administrative process in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reversal before the Director of the Spanish Agency for Data Protection within a period of one month from count from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the firm resolution in administrative proceedings if the The interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Data Protection Agency, presenting it through of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronicaweb/], or through any of the other registries provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the documentation proving the effective filing of the contentious-administrative appeal. If the Agency was not aware of the filing of the appeal contentious-administrative proceedings within a period of two months from the day following the Notification of this resolution would terminate the precautionary suspension. 938-181022 Mar Spain Marti Director of the Spanish Data Protection Agency
