AEPD (Spain) - PS/00410/2020: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD (Spain) |DPA_With_Country=AEPD (Spain) |Case_Number_Na...")
 
No edit summary
 
(5 intermediate revisions by 3 users not shown)
Line 25: Line 25:
|GDPR_Article_1=Article 6(1)(a) GDPR
|GDPR_Article_1=Article 6(1)(a) GDPR
|GDPR_Article_Link_1=Article 6 GDPR#1a
|GDPR_Article_Link_1=Article 6 GDPR#1a
|GDPR_Article_2=Article 2(2)(c) GDPR
|GDPR_Article_Link_2=Article 2 GDPR#2c


|EU_Law_Name_1=Article 1 Charter of Fundamental Rights of the European Union
|EU_Law_Name_1=Article 1 Charter of Fundamental Rights of the European Union
Line 54: Line 57:
}}
}}


The Spanish DPA fined an individual €1500 for disseminating personal data related to sex life from a data subject, rejecting a BDSM submission contract as a valid form of consent.
The Spanish DPA fined an individual €1500 for sharing personal data related to the sex life of the complainant on a website. The DPA rejected the individual's claim that a BDSM submission contract is a valid form of consent, and a legitimate basis for the publishing of such personal data.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
An individual published in a website personal data of another individual related to their sex life, including photographs, notes and sexual references. Following a complaint of the data subject, the Spanish DPA (AEPD) launched an investigation.  
An individual published, on a website, personal data of another individual related to their sex life, including photographs, notes and sexual references. Following a complaint of the data subject, the Spanish DPA (AEPD) launched an investigation.  


The website, as found by the AEPD, belonged to the defendant.  
The website, as found by the AEPD, belonged to the defendant.  


The defendant alleged that the website was meant to be private, and was created as a remembrance of their 7-years relationship after a difficult divorce. Therefore, the household exception should apply. They also alleged that the web did not contain the subject's surnames and that their face was pixelated, and that the personal data was therefore anonymous.  
The defendant alleged that the website was meant to be private, and was created as a remembrance of their 7-years relationship after a difficult divorce. Therefore, the household exception should apply. They also alleged that the website did not contain the data subject's surname and that their face was pixelated, and that the personal data was therefore anonymous.  


Furthermore, the defendant alleged that they had signed a contract in 2013 in which they consented the dissemination of images, photographs, videos, or any similar content.  
Furthermore, the defendant alleged that they had signed a contract in 2013 in which they consented the dissemination of images, photographs, videos, or any similar content.  


This contract, brought in by the defendant, was a BDSM submission contract. The contract contained a clause in which the data subject waiveed their privacy, giving herself up as a "slave/submissive", and allowed the defendant to showcase anything related to the data subject. The contract also had a clause that allowed any of the parties to terminate it in any moment.  
This contract, brought in by the defendant, was a BDSM submission contract. The contract contained a clause in which the data subject waived their privacy, giving herself up as a "slave/submissive", and allowed the defendant to showcase anything related to the data subject. The contract also had a clause that allowed any of the parties to terminate it in any moment.  
 
=== Dispute ===
 
 
=== Holding ===
=== Holding ===
The DPA held, firstly, that the household exception was not applicable. Making reference to the Lindqvist, Rynes, and Jehova's Witnesses judgments, the DPA alleged that the processing can only be private or domestic when it only affects incidentally the data of third parties. In this case, the processing is not incidental but the main objective of the processing. Additionally, the website was not private but could be accessed by any third party, and therefore the data were made accessible to an indefinite number of people.
The DPA held, firstly, that the household exception was not applicable. Making reference to the [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62001CJ0101&from=EN Lindqvist], [https://curia.europa.eu/juris/document/document.jsf?docid=160561&doclang=EN Rynes], and [https://curia.europa.eu/juris/document/document.jsf;jsessionid=F78290DA7980D37A75BF86AA7C93E77C?text=&docid=203822&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=407949 Jehova's Witnesses] CJEU judgments, the DPA alleged that the processing can only be private or domestic when it only affects incidentally the data of third parties. In this case, the processing is not incidental but the main objective of the processing. Additionally, the website was not private but could be accessed by any third party, and therefore the data were made accessible to an indefinite number of people.
 
https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62001CJ0101&from=EN
 
https://curia.europa.eu/juris/document/document.jsf?docid=160561&doclang=EN
 
https://curia.europa.eu/juris/document/document.jsf;jsessionid=F78290DA7980D37A75BF86AA7C93E77C?text=&docid=203822&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=407949


Furthermore, the images were not anonymised, as alleged by the defendant, as the data subject was fully recognizable.  
Furthermore, the images were not anonymised, as alleged by the defendant, as the data subject was fully recognizable.  
Line 85: Line 78:
Regarding the alleged consent provided in the contract, the DPA concluded that such consent was not valid.  
Regarding the alleged consent provided in the contract, the DPA concluded that such consent was not valid.  


The AEPD mentioned both the Spanish Constitution (CE) and the Charter of Fundamental Rights of the European Union (CFRUE). According to Article 1 CFRUE, human  dignity  is  inviolable and must  must  be  respected  and  protected. In a similar sense, Article 10 CE states that the dignity of the people, the inviolable rights that are inherent to them, the free development of the personality, and the respect for the law and for the rights of others are the basis of political order and social peace.
The AEPD mentioned both the [https://www.boe.es/buscar/act.php?id=BOE-A-1978-31229 Spanish Constitution] (CE) and the [https://www.europarl.europa.eu/charter/pdf/text_en.pdf Charter of Fundamental Rights of the European Union] (CFRUE). According to Article 1 CFRUE, human  dignity  is  inviolable and must  must  be  respected  and  protected. In a similar sense, Article 10 CE states that the dignity of the people, the inviolable rights that are inherent to them, the free development of the personality, and the respect for the law and for the rights of others are the basis of political order and social peace.  
 
https://www.europarl.europa.eu/charter/pdf/text_en.pdf
 
https://www.boe.es/buscar/act.php?id=BOE-A-1978-31229
 
In this regard, the Constitutional Court has established that the fundamental right to data protection aims to prevent data processing that is harmful for people's dignity and rights. It has also said that dignity is a minimum that shall remain unaltered, so no limitations to individual rights may entail a detriment to the esteem that every human being deserves.  


http://hj.tribunalconstitucional.es/es-ES/Resolucion/Show/3596
In this regard, the Constitutional Court has established that the fundamental right to data protection aims to prevent data processing that is harmful for people's dignity and rights ([http://hj.tribunalconstitucional.es/es-ES/Resolucion/Show/3596 sentencia 94/1998, de 4 de mayo]). It has also said that dignity is a minimum that shall remain unaltered, so no limitations to individual rights may entail a detriment to the esteem that every human being deserves ([http://hj.tribunalconstitucional.es/es-ES/Resolucion/Show/2574 sentencia 57/1994, de 28 de febrero]).
 
http://hj.tribunalconstitucional.es/es-ES/Resolucion/Show/2574


Therefore, according to the DPA, the contract provided by the defendant, in which the data subject waives their privacy, giving herself up as a "slave/submissive", lacks any contractual validity, since human dignity and the right to data protection are basis of political order, against which the contract acts.
Therefore, according to the DPA, the contract provided by the defendant, in which the data subject waives their privacy, giving herself up as a "slave/submissive", lacks any contractual validity, since human dignity and the right to data protection are basis of political order, against which the contract acts.


This is also sustained by Article 6 of the Spanish Civil Code, that establishes that the waiver of rights is not valid when it subverts public order or harms any thirds parties.
This is also sustained by Article 6 of the [https://www.boe.es/buscar/act.php?id=BOE-A-1889-4763 Spanish Civil Code], that establishes that the waiver of rights is not valid when it subverts public order or harms any thirds parties.
 
https://www.boe.es/buscar/act.php?id=BOE-A-1889-4763


Therefore, given the lack of valid consent for the dissemination of the data subject's personal data, the DPA considered that the defendant had violated [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]], and fined them €1500.  
Therefore, given the lack of valid consent for the dissemination of the data subject's personal data, the DPA considered that the defendant had violated [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]], and fined them €1500.  

Latest revision as of 17:00, 14 December 2022

AEPD (Spain) - PS/00410/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1)(a) GDPR
Article 2(2)(c) GDPR
Article 1 Charter of Fundamental Rights of the European Union
Article 10 Spanish Constitution
Article 6 Spanish Civil Code
Type: Complaint
Outcome: Upheld
Started:
Decided: 17.06.2021
Published: 02.07.2021
Fine: 1500 EUR
Parties: n/a
National Case Number/Name: PS/00410/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA fined an individual €1500 for sharing personal data related to the sex life of the complainant on a website. The DPA rejected the individual's claim that a BDSM submission contract is a valid form of consent, and a legitimate basis for the publishing of such personal data.

English Summary

Facts

An individual published, on a website, personal data of another individual related to their sex life, including photographs, notes and sexual references. Following a complaint of the data subject, the Spanish DPA (AEPD) launched an investigation.

The website, as found by the AEPD, belonged to the defendant.

The defendant alleged that the website was meant to be private, and was created as a remembrance of their 7-years relationship after a difficult divorce. Therefore, the household exception should apply. They also alleged that the website did not contain the data subject's surname and that their face was pixelated, and that the personal data was therefore anonymous.

Furthermore, the defendant alleged that they had signed a contract in 2013 in which they consented the dissemination of images, photographs, videos, or any similar content.

This contract, brought in by the defendant, was a BDSM submission contract. The contract contained a clause in which the data subject waived their privacy, giving herself up as a "slave/submissive", and allowed the defendant to showcase anything related to the data subject. The contract also had a clause that allowed any of the parties to terminate it in any moment.

Holding

The DPA held, firstly, that the household exception was not applicable. Making reference to the Lindqvist, Rynes, and Jehova's Witnesses CJEU judgments, the DPA alleged that the processing can only be private or domestic when it only affects incidentally the data of third parties. In this case, the processing is not incidental but the main objective of the processing. Additionally, the website was not private but could be accessed by any third party, and therefore the data were made accessible to an indefinite number of people.

Furthermore, the images were not anonymised, as alleged by the defendant, as the data subject was fully recognizable.

Regarding the alleged consent provided in the contract, the DPA concluded that such consent was not valid.

The AEPD mentioned both the Spanish Constitution (CE) and the Charter of Fundamental Rights of the European Union (CFRUE). According to Article 1 CFRUE, human dignity is inviolable and must must be respected and protected. In a similar sense, Article 10 CE states that the dignity of the people, the inviolable rights that are inherent to them, the free development of the personality, and the respect for the law and for the rights of others are the basis of political order and social peace.

In this regard, the Constitutional Court has established that the fundamental right to data protection aims to prevent data processing that is harmful for people's dignity and rights (sentencia 94/1998, de 4 de mayo). It has also said that dignity is a minimum that shall remain unaltered, so no limitations to individual rights may entail a detriment to the esteem that every human being deserves (sentencia 57/1994, de 28 de febrero).

Therefore, according to the DPA, the contract provided by the defendant, in which the data subject waives their privacy, giving herself up as a "slave/submissive", lacks any contractual validity, since human dignity and the right to data protection are basis of political order, against which the contract acts.

This is also sustained by Article 6 of the Spanish Civil Code, that establishes that the waiver of rights is not valid when it subverts public order or harms any thirds parties.

Therefore, given the lack of valid consent for the dissemination of the data subject's personal data, the DPA considered that the defendant had violated Article 6(1)(a) GDPR, and fined them €1500.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                 1/13








     Procedure No.: PS / 00410/2020

                RESOLUTION OF SANCTIONING PROCEDURE


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following:
                                   BACKGROUND


FIRST: Mrs. A.A.A. (hereinafter, the complaining party), dated 25
September 2020, filed a claim with the Spanish Agency for the Protection of
Data.

The claim is directed against Don B.B.B., with NIF *** NIF.1, (hereinafter, the part
claimed). The reasons on which the claim is based are the following:


Publish on the website *** URL.1 personal data of the claimant without her authorization.
tion or consent, including photographs, personal notes, and references
reference to their sexual relations with the respondent. Provides position data
responsible for this website with which you are in the process of divorce.

Which, according to the complainant, took place on the date of: between March 11, 2020 and
time of claim

SECOND: In view of the facts denounced in the claim and the documents
information provided by the claimant / of the facts and documents of which he has had
Knowing this Agency, the Subdirectorate General for Data Inspection proceeded to

carrying out preliminary investigation actions to clarify the
facts in question, by virtue of the investigative powers granted to the authorities
des of control in article 57.1 of Regulation (EU) 2016/679 (General Regulation
of Data Protection, hereinafter RGPD), and in accordance with the provisions of the
Title VII, Chapter I, Second Section, of Organic Law 3/2018, of December 5,

Protection of Personal Data and guarantee of digital rights (LOPDGDD).

As a result of the investigative actions carried out, it is verified that the
responsible for the treatment is the claimed party.


As a result of the investigative actions carried out, it is verified that the
responsible for the treatment is the claimed one.

     On October 16, 2020, the reported extremes were confirmed
        being on the website numerous photographs scattered throughout the

        site, many personal notes of the claimed and references to its activity
        sexual.
       Diligence is generated with screen printing of the "Cover" pages,
       "Beginnings", "Your notes" and some photos from the Gallery.

On October 19, 2020, this Agency agrees to notify the entity

Internet hosting of the website precautionary measure of withdrawal of the content
reclaimed.

     On October 20, this entity is notified.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/13








     On October 21, 2020 it is verified that the website has been
        closed.
     There is no page or document on this website where it is specified
        the person in charge of the site. However, a search is performed using the

        WHOIS tool obtaining matching result in name and surname
        with the claimed, as the owner of the domain "*** URL.1".
     Made a request for information on the complete ownership data
        of the domain “*** URL.1” to the public business entity RED.ES, with the date of
        October 28, 2020 a written reply is received at this Agency

        sent by RED.ES informing of the data of the owner of the domain resulting
        be consistent with the data of the claimed.

THIRD: On February 25, 2021, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure against the complained party, with
according to the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the Pro-

Common Administrative Assignment of Public Administrations (hereinafter, LPA-
CAP), for the alleged infringement of Art 6.1.a) of the RGPD, typified in Art 83.5 of the
GDPR.

FOURTH: Once the aforementioned commencement agreement was notified, the claimed party submitted a written

allegations in which, in summary, it states the following:

    1. That since March 2020 he is the owner of the domain *** URL.1; in that
        domain have included texts and photographs of the relationship maintained for 7
        years with the complaining party, the last two already married. The process of
        divorce, which was very painful, led him to create the aforementioned page with

        the hope of remembering the good times and reconciling. This proves it
        that there are no reproaches or insults. The page was not intended to be visited,
        rather it was addressed to a single addressee, as it was; lacked interest
        for third parties. Therefore, the exception of article 4.a) of
        the LOPDGDD, as it is something personal and domestic. European regulations
        It was designed for large corporations or companies that make massive use

        of data. The complaining party may request the withdrawal of information by
        responsible for its publication, but cannot be penalized for it. I could only
        Report to the civil courts for violation of privacy and
        honor.

    2. The Agency includes in the initiation agreement, article 4, sections 1 and 2 of the

        RGPD, forgetting that the publication does not include the surnames of the claim.
        mante, only his first name, so it is somewhat anonymous. In the post
        44 photographs appear, 36 in which they are together or with other people and 8
        in which she appears alone, but with a pixelated face. In any case, try
        Taking pictures of the inner circle, they are to be considered domestic. The
        Images do not identify or make the complaining party identifiable.


    3. If it is considered that article 6 of the RGPD could have been violated, accompany
        panes a contract signed between both parties in 2013, in which they agree
        feel in the dissemination of images, photographs or videos in any modality
        or format. This is stated in point 10 of the contract. The page has been operational

        rative until the divorce decree was passed; and at no time
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/13








       turned to request its cancellation.

    4. The following have been taken into consideration when imposing the sanction

       aggravating factors: a) the nature, severity and duration of the offense, taking into account
       account of the nature, scope or purpose of the treatment operation of
       concerned as well as the number of interested parties affected and the level of
       damages and losses they have suffered; nature and severity that it values subjectively
       mind the agency, taking into account the duration, which has been short, the
       limited scope since it has not been disseminated, the purpose that was reconciliation

       tion. The claimed party has not indicated that damages have been caused
       I swim. Regarding intentionality or negligence, it must be assessed that they have
       Pixelated images to avoid recognition by third parties. Shows his
       disagreement with the aggravating factors applied.


The supporting document provided by the claimed party to demonstrate that it counted
With the consent of the complaining party, it is called “Submission Contract
BDSM ”, in which the complaining party, in use of the powers and giving it value with
tractual, is delivered to its master, owner, lord and master (the claimed one), as
slave / submissive, giving her all rights over her person. On the other hand, the
claimed takes possession of the body and mind of the claimant, considering it his

property. Section 10 indicates the following:

       “I renounce all right of privacy or concealment. If my master decides to exhi-
birme before other people I will show myself to them in the terms indicated to me,
assuming it can even be face-to-face. This disclaimer includes photographs

and videos of myself or myself in any situation or form, accepting that my Master
and Lord may show them. If my Lord and Master decide to make public images of me
(photographs or videos), in all my acts as your submissive / slave, I will consider you a
honor. It is also the power of my Master and Lord to punish me, possess me and submit me
publicly to enjoy my full submission "


In the “BDSM submission contract”, there is a section on “Termination of the Contra-
Submission Agreement ”in which it is indicated: This Contract may be terminated in any-
I want a moment for either party.

FIFTH: On March 22, 2021, the instructor of the procedure agreed to the

opening of a period of practical tests, taking as incorporated the
preliminary investigation actions, E / 08354/2020, as well as the documents
provided by the defendant, on March 18, 2021.

SIXTH: On April 3, 2021, a resolution proposal was formulated,

proposing that the Director of the Spanish Data Protection Agency
sanction the claimed party with a fine of 10,000 euros, for an infraction of the
Article 6.1.a) of the RGPD, typified in Article 83.5 of the RGPD, and qualified as
very serious infraction, for the purposes of prescription, by article 72.1.b) of the
LOPDGDD.


The complained party submitted a brief of allegations, in which it states the following:

“Mr. Instructor understands that the legitimate cause of the trafficking is not applicable to the case.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/13








data content contained in article 6.1.b) of the RGPD arguing that,
although the contract signed between the parties (document No. 1 provided in previous
brief of allegations) could be considered valid for the treatment of images,

Said contract was terminated by the claimant herself when requesting the divorce of the claimant.
mado. It must be assumed that in order to reach this conclusion, the
Article 102 of the Civil Code, which stipulates that one of the effects of the admission of the
order of nullity, separation or divorce is the revocation of the consents and
rights that either spouse had granted to the other ...


In accordance with section 2 of article 2 of Organic Law 15/1999, of December 13,
census (LOPD), the personal data protection regime that is
established in the Organic Law, the following shall not apply: To files maintained by per-
physical activities in the exercise of exclusively personal or domestic activities.


Well, in the present case there is no more personal data of the claimant than
a series of pixelated photographs, and that implies that there are no surnames, addresses,
activities, references or any other element susceptible to knowledge or
lawsuit by third parties, which prevents your rights from being affected in any way
na way. On the other hand, these are files maintained by a natural person "par-
ticular ", so that there has been no professional, commercial or industrial treatment,

no company has intervened, and the treatment has been carried out in the exclusive field
sive of a personal or domestic activity.

As Mr. Instructor points out, article 83.2 of the RGPD provides that when deciding the
imposition of an administrative fine and its amount in each individual case shall be

will take into account the aggravating and mitigating factors that are listed in said article
ass, as well as any other that may be applicable to the circumstances of the
case. Regarding the aggravating grounds of law applied to the file
In the proposed sanction, the first and literal impact is applied to the duration of the
infringement, but the GDPR speaks more specifically of the "continuous nature of

the offense ", that is, it refers to the number of occasions in which the defendant
has carried out the infringement and, it is the case, that the defendant carried out a single and exclusive
publication without additions or other subsequent interventions, so it is updated
tion had an isolated character irrespective of which photographs remained
They will be on the page for the seven months it was in effect.


Regarding intentionality, it does not seem that the Regulation refers to the offender
has been done for one or another purpose, as interpreted by the Instructor, but to the existence of
negligence or not, so that, although ignorance of the Law does not require
compliance, it must be taken into account whether the alleged offender is a
It is a physicist that does not process data regularly.


The same indeterminacy can be appreciated with respect to the criterion of seriousness of the infraction.
tion and, even more so if, as indicated by the instructor, said severity is a function of
Damages and losses suffered by the claimant, since the record does not appear to contain
the least accreditation in this regard.


In any case, the proposed sanction does not comply with the provisions of articles 83.3 and
83.2 of the RGPD inasmuch as it totally dispenses with the principle of proportionality and
exclusively to a mere tax collection effort in which a minimum and pru-

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/13








dente examination of the economic circumstances of the alleged offender.

The defendant has as his only income what he obtains through his work

wage earner who, as can be seen through the payrolls that are attached as do-
document no. 1, barely exceeds 1,000.00 euros per month.

                                PROVEN FACTS

FIRST: On September 25, 2020, the claimant filed a claim

before the Spanish Agency for Data Protection, directed against the claimed. The
The reason is the publication on the website *** URL.1, of personal data of the
complainant without their authorization or consent, including photographs,
personal notes and reference to their sexual relations with the respondent.
Provide details of the possible person responsible for this website with which you are in

contentious divorce process.

Which, according to the claimant, took place on the date of: between March 11, 2020 and the
time of claim.

SECOND: On October 16, 2020, the reported extremes are verified

being on the website numerous photographs scattered throughout the site,
many personal notes from the claimed and references to her sexual activity.

Diligence is generated with screen printing of the pages "Cover", "Beginnings",
"Your notes" and some photos from the Gallery.


The screenshots show that, although some attempts have been made
photographs its pixelated, the image of the claimant is absolutely identifiable.

THIRD: On October 19, 2020, it was agreed by this Agency to notify

to the Internet hosting entity of the website precautionary measure of withdrawal of the
claimed content. On October 20, it is notified and on
October 2020 it is verified that the website has been closed.

                           FOUNDATIONS OF LAW


                                           I
By virtue of the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), recognizes each
Control Authority, and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on the Protection of Personal Data and

guarantee of digital rights (hereinafter, LOPDGDD), the Director of the Agency
Spanish Data Protection is competent to initiate and resolve this
process.

Article 63.2 of the LOPDGDD determines that: “The procedures processed by the

Spanish Data Protection Agency shall be governed by the provisions of the
Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in their development and, as long as they do not contradict them, in a
subsidiary, by the general rules on administrative procedures. "

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/13









                                            II
The physical image of a person, according to article 4.1 of the RGPD, is data

personal protection and their protection, therefore, is the object of said Regulation.

Article 4.2 of the RGPD defines "treatment" as: "any operation or set
of operations carried out on personal data or personal data sets,
whether by automated procedures or not, such as collection, registration,
organization, structuring, conservation, adaptation or modification, extraction,

consultation, use, communication by transmission, broadcast or any other form of
authorization of access, collation or interconnection, limitation, deletion or destruction. "

The recording and dissemination of images, which identify or make identifiable a
person, on social networks or websites, involves data processing

personal data and, therefore, the person who does it has to rely on one of the
legitimizing causes indicated in article 6 of the RGPD. In these cases, as
In the case that is the subject of the claim, the only legitimate cause is usually the
consent, in general. And it is the person who records and uploads the images to a
website which must demonstrate that it has that consent.


In order for this treatment to be carried out lawfully, the following must be fulfilled.
established in article 6.1 of the RGPD, which indicates:

       << 1. The treatment will only be lawful if at least one of the following is met
terms:


       a) the interested party gave their consent for the processing of their data
personal for one or more specific purposes;
       b) the treatment is necessary for the performance of a contract in which the
interested is part or for the application at the request of this of measures

pre-contractual;
       c) the treatment is necessary for the fulfillment of a legal obligation
applicable to the person responsible for the treatment;
       d) the treatment is necessary to protect vital interests of the interested party or
of another natural person;
       e) the treatment is necessary for the fulfillment of a mission carried out in

public interest or in the exercise of public powers conferred on the person responsible for the
treatment;
       f) the treatment is necessary for the satisfaction of legitimate interests
pursued by the data controller or by a third party, provided that on
said interests do not prevail the interests or the rights and freedoms

fundamental data of the interested party that require the protection of personal data, in
particular when the interested party is a child.
       The provisions of letter f) of the first paragraph shall not apply to the
treatment carried out by public authorities in the exercise of their functions. >>.


Article 7 of the RGPD establishes, in its first section, the following: “1. When the
treatment is based on the consent of the interested party, the person in charge must be
capable of demonstrating that he consented to the processing of his personal data ”.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/13








On the other hand, the first section of article 7 of the LOPDGDD specifies how it has
if this consent is: “1. In accordance with the provisions of article 4.11 of the
Regulation (EU) 2016/679, the consent of the affected party is understood to be all

manifestation of free, specific, informed and unequivocal will for which this
accepts, either through a declaration or a clear affirmative action, the treatment
of personal data concerning him. "

                                            III
In accordance with the accreditations currently available

of the sanctioning procedure, it is considered that the defendant did not obtain a consent
valid consent of the claimant for the processing of their personal data that has been
found that it occurred when published on the website *** URL. 1 photos, notes
personal information and reference to their sexual relations with the defendant of the
claimant, once the separation had taken place and the process of

contentious vorcio; nor was it legitimized by the contractual relationship that it maintains
they had from the moment of the couple's breakup.

The known facts could constitute an infringement, attributable to the claim.
, due to violation of article 6.1 outlined, as there is no consent to the processing of
data processing carried out or any other cause that legitimizes said treatment.


In relation to the supporting document provided by the claimed party for
prove that he had the consent of the complaining party, we must leave
of article 10 of the Spanish Constitution, which states, in its first section that
"The dignity of the person, the inviolable rights that are inherent, the free

personality development, respect for the law and the rights of others are
foundation of political order and social peace ”while the second section
adds that “The norms relating to fundamental rights and freedoms that
the Constitution recognizes shall be interpreted in accordance with the Universal Declaration
of Human Rights and international treaties and agreements on them

matters ratified by Spain ”. In this sense, article 1 of the Charter of the
Fundamental Rights of the European Union affirms that “Human dignity is
inviolable. It will be respected and protected ”.

The Constitutional Court indicated in its Sentence 94/1998, of May 4, that
Through a fundamental right to data protection, the person is guaranteed the

control over your data, any personal data, and over its use and destination, to
prevent the illicit traffic of the same or harmful to the dignity and rights of the
affected. Previously, in its Judgment 57/1994, of February 28, the Court
Constitution had affirmed that “the rule of art. 10.1 C.E., projected on the
individual rights, implies that dignity must remain unaltered whichever

that is the situation in which the person finds himself, constituting, consequently,
an invulnerable minimum that every legal statute must ensure, so that the
limitations imposed on the enjoyment of individual rights do not entail a
contempt for the esteem that, as a human being, the person deserves ”.


Therefore, the human dignity, inviolable, and the fundamental rights that are
inherent, among which we find the protection of personal data, are
foundation of the political order. In relation to the contract provided by the party
claimed, in which the claimant renounces “her privacy” and the protection of her

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/13








image and, in general, to "all rights over his person", surrendering as
"Slave / submissive", we must conclude that it lacks any validity
contractual. In this sense, article 6 of the Civil Code establishes that the exclusion

voluntary of the applicable Law and the waiver of the rights recognized in it only
will be valid when they do not contradict public interest or order or harm
third parties. In view of what has already been stated, the waiver of these fundamental rights
it is considered contrary to public order, which entails its lack of validity.

Regarding the allegations of the complained party, referring, firstly, that there is no

The RGPD is applied since it applies to the realization of the treatment the exception do-
as established in article 2.2 of the RGPD and article 2.2.a) of the LO-
PDGDD, the following should be noted: it says to article 2.2 of the RGPD:

        "two. This Regulation does not apply to the processing of personal data:


        c) carried out by a natural person in the exercise of activities exclusively-
personal or domestic mind ”.

This Agency, on the other hand, considers that the action of the person claimed cannot
to be included in this exception.


To define what is to be considered as treatment of an exclusively personal nature,
sonal or domestic, although in this case the application of those
precepts without going into that analysis, it is convenient to take into account the
CJEU doctrine stated in the Lindqvist, Rynes and Jehovah's Witnesses judgments

(STJUE of July 10, 2018, C-25/17).

In accordance with these judgments, it can be considered that the CJEU understands, in a
general, that the exception of activities of an exclusively personal or do-
meticum is to be interpreted in the strict sense, only when the treatment of

data affects "incidentally" the private life or intimacy of "other people", different
Tasks of the person in charge of the personal data. It is also said by the Tri-
It is clear that the character of personal or domestic activities is not exclusively defined
as opposed to the dissemination of the data, but rather that such dissemination implies that a
processing of personal data related to the private or family life of individuals
cannot be considered excluded from the protective regulations, so that

There are other cases in which, even when treating personal data of a personal nature or
this could not be understood as included within the exception provided for in the article
section 2.2 c) of the RGPD.

We must not lose sight of what is the processing of personal data that is carried out in the

This case consists of the publication and dissemination of images and private notes in
a website that could be accessed by third parties. As can be seen, in this case no
is that the private life or privacy of another person is "incidentally" affected,
but the very object of this data processing is, precisely, the image of
the claimed one. That is, the treatment of the personal data of the claimed party whose

image is being broadcast against your will is not a mere "incidental" nuisance
within a more general data processing, but rather the use of your personal data-
it is precisely the goal of treatment for them. Therefore it is not possible to consider in any
case that said data processing of the complaining party is merely incidental,

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/13








rather, it is a "primary" treatment.

The CJEU of July 10, 2018, C-25/17, Jehovah's Witnesses, establishes an inter-

pretation about the concept of exclusively personal or domestic activities
and it says like this:

42 As the Court has held, Article 3 (2), second indent,
of Directive 95/46 must be interpreted in the sense that it only contemplates
the activities that fall within the framework of the private or family life of the participants

cular. In this regard, it will not proceed to consider that an activity is exclusively
personal or domestic care, for the purposes of said provision, when it is intended to allow
to an undetermined number of people access to personal data or when ac-
tivity extends, even in part, to the public space and is therefore directed
out of the private sphere of the person who proceeds to the treatment of the

data (see, in this regard, the judgments of November 6, 2003, Lindqvist,
C-101/01, EU: C: 2003: 596, paragraph 47; of December 16, 2008, Satakunnan Ma-
rkkinapörssi and Satamedia, C-73/07, EU: C: 2008: 727, paragraph 44, and of December 11
of 2014, Ryneš, C-212/13, EU: C: 2014: 2428, paragraphs 31 and 33).

The CJEU Judgment of 11/6/2003, “Lindqvist” refers to the assumption of a person

physicist, who volunteered in a church as a catechist in Sweden. Is
person had created his own web page on the internet, open to anyone, in the
who in a humorous tone made reference to his fellow volunteers in the
church, revealing their names, phone numbers, hobbies, and in some cases co-
He mentioned that a colleague of hers was on leave due to an injury or illness in a

foot, which was considered a health data. And it refers to whether this type of action
tions would be excluded from the application of data protection regulations if
consider exclusively personal or domestic activities, indicating:

"30. Ms. Lindqvist maintains that an individual who, in the exercise of his freedom of

expression, creates various web pages as part of a non-profit activity
or in their leisure time, they do not carry out an economic activity and, therefore, their conduct
is not subject to Community law ...

31. The Swedish Government alleges that, by transposing Directive 95/46 into national law, the
Swedish legislator consider that the processing, by a natural person, of personal data

which consists of transmitting said data to an undetermined number of recipients.
rivers, for example, through the Internet, cannot be classified as ≪exclusive activities
personal or domestic within the meaning of article 3, paragraph 2, second
indent, of Directive 95/46 ...


45. Well, voluntary or religious activities such as those carried out by Mrs. Lin-
dqvist cannot be equated with the activities cited in the first indent of the article
3 (2) of Directive 95/46 and, therefore, are not included in that ex-
reception.


46 As regards the exception provided for in the second indent of Article 3 (2),
of Directive 95/46, in the twelfth recital of the latter, relating to said
exception, they are cited as examples of data processing carried out by a person
physical activity in the exercise of exclusively personal or domestic activities, the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/13








weighting and keeping a repertoire of addresses. This exception must interpret
be considered in the sense that it only contemplates the activities that are part of the
the framework of private or family life of individuals; Obviously, this is not the

case of a personal data processing consisting of the dissemination of said data
via the Internet so that they are accessible to an undetermined group of people. "

Therefore, to the activity carried out by the complaining party, the
GDPR, as it cannot be considered a personal or domestic activity.


Second, the complaining party alleges that it pixelized the images so that they were not
identify the claimed. In the documentation that is part of the procedure,
The images have been obtained as they appeared published on the reclaimed website.
checked, verifying that the claimed is absolutely identifiable in the photographs
published fias.

                                             IV
The violation of article 6.1 of the RGPD is typified in article 83 of the
RGPD that, under the heading “General conditions for the imposition of administrative fines,
nistrative ”, he points out:

      "5. Violations of the following provisions will be sanctioned, in accordance with

with section 2, with administrative fines of a maximum of 20,000,000 Euros or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:


a) The basic principles for the treatment, including the conditions for the consent
compliance in accordance with articles 5,6,7 and 9. "

The LOPDGDD in its article 72.1.b) qualifies this infraction, for the purposes of prescription,
as a very serious offense.


In determining the administrative fine that should be imposed, the
observe the provisions of articles 83.1 and 83.2 of the RGPD, precepts that indicate
lan:

      “Each control authority shall guarantee that the imposition of the administrative fines

treaties pursuant to this article for infringements of this Regulation
indicated in sections 4, 9 and 6 are in each individual case effective, proportionate
nothing and dissuasive. "

      "Administrative fines will be imposed, depending on the circumstances of

each individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose an admissible fine
nistrative and its amount in each individual case will be duly taken into account:

        a) the nature, severity and duration of the offense, taking into account the

        nature, scope or purpose of the processing operation in question
        as well as the number of interested parties affected and the level of damages
        cios that they have suffered;
        b) intentionality or negligence in the infringement;

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/13








        c) any measure taken by the person in charge or in charge of the treatment
        to alleviate the damages suffered by the interested parties;
        d) the degree of responsibility of the person in charge or the person in charge of the treatment

        to, taking into account the technical or organizational measures that have been applied
        by virtue of articles 25 and 32;
        e) any previous infringement committed by the person in charge or the person in charge of the
        treatment;
         f) the degree of cooperation with the supervisory authority in order to
        means to the infringement and mitigate the possible adverse effects of the infringement;

        g) the categories of personal data affected by the infringement;
        h) the way in which the supervisory authority learned of the infringement,
        in particular if the person in charge or the person in charge notified the infringement and, in such
        case, to what extent;
        i) when the measures indicated in article 58, paragraph 2, have been ordered

        previously filed against the person in charge or the person in charge of the
        relationship with the same matter, compliance with said measures;
        j) adherence to codes of conduct under article 40 or to mechanisms
        certification approved in accordance with article 42, and
        k) any other aggravating or mitigating factor applicable to the circumstances of the
        case, such as financial benefits obtained or losses avoided, direct

        or indirectly, through the infringement. "

Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76, “San-
corrective measures and actions ”, establishes:


        "two. In accordance with the provisions of article 83.2.k) of Regulation (EU)
2016/679 may also be taken into account:

        a) The continuing nature of the offense.
        b) The linking of the activity of the offender with the performance of treatments

        of personal data.
        c) The benefits obtained as a result of the commission of the offense.
        d) The possibility that the affected person's conduct could have led to the
        commission of the offense.
        e) The existence of a merger process by absorption after the commission
        of the infringement, which cannot be attributed to the absorbing entity.

        f) Affecting the rights of minors.
        g) To have, when not mandatory, a data protection delegate
        cough.
        h) The submission by the person in charge or in charge, on a voluntary basis
        to alternative conflict resolution mechanisms, in those sub-

        positions in which there are controversies between those and any interested
        do."

For the purpose of setting the amount of the fine, it is appropriate to propose that
put the claimed person for the violation of the RGPD that is attributed to him, it is appreciated that

the following factors concur that aggravate the unlawfulness of your
duct or guilt:

        - The nature, severity and duration of the offense, taking into account the nature of the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/13








nature, scope or purpose of the treatment operation in question, as well as
the number of interested parties affected and the level of damages that have suffered
frido;

       - The intentionality or negligence in the infringement;

The circumstance of the lack of linkage of the act is seen as mitigating
tivity of the offender with the processing of personal data.

In relation to the claims of the complained party about the aggravating factors applied,

there is no doubt about its duration: from the month of March
2020, until October of the same year, when a Data Inspector from the Ins-
pection of the Spanish Agency for Data Protection is addressed to the entity of
Internet hosting of the website to request its deletion. The severity of the offense
must be seen from the objective of the claimant, not the claimed, leaving

accredited the damages suffered.

On the other hand, it is an intentional action, as indicated by the claimed party,
pointing out that his intention was to reverse the situation of separation and regain the
claimant.


Accompany the claimed part, the payroll of some months of the year 2021.
notes that the net salary is around 1,300 euros per month.

By proportionality it is usually understood, colloquially, the reduction of the sanction
imposed. However, this need not be the case: proportionality

stands for adequacy, measure, weighting and balance. Therefore, this
principle not only when the excess committed is maintained, but also when that excess
is unjustifiably reduced more than it should because in this case the
ineffectiveness of the sanction, depriving it of the persuasive effects that it may
offer. That is why article 29.3 of Law 40/2015, by regulating the principle of

proportionality, uses the expression “due suitability and necessity of the sanction to
impose and its adaptation to the seriousness of the act constituting the offense ”.

In accordance with the salary of the claimed party, the amount imposed may
considered disproportionate, so in application of the principle of
proportionality, it is appropriate to reduce it to the amount of 1,500 euros, to maintain the

proportionate and at the same time dissuasive character that must be guaranteed with the imposition
of administrative fines.

Therefore, in accordance with the applicable legislation and the graduation criteria assessed
tion of the sanctions whose existence has been proven,


The Director of the Spanish Data Protection Agency RESOLVES:

FIRST: IMPOSE Don B.B.B., with NIF *** NIF.1, for a violation of Article
6.1.a) of the RGPD, typified in Article 83.5 of the RGPD, and classified as a very

serious, for the purposes of prescription, by article 72.1.b) of the LOPDGDD a fine of
€ 1,500 (one thousand five hundred euros).

SECOND: NOTIFY this resolution to Mr. B.B.B ..

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 13/13









THIRD: Warn the sanctioned person that the sanction imposed by a
Once this resolution is enforceable, in accordance with the provisions of the

art. 98.1.b) of Law 39/2015, of October 1, on the Administrative Procedure Co-
of the Public Administrations (hereinafter LPACAP), within the vo-
luntario established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number
procedure that appears in the heading of this document, in the account

restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Spanish Agency
ñola of Data Protection in the banking entity CAIXABANK, S.A .. In case of
Otherwise, it will be collected in the executive period.

Received the notification and once executive, if the date of execution is found

between the 1st and the 15th of each month, both inclusive, the deadline for making the vo-
luntario will be until the 20th day of the following or immediately subsequent business month, and if
between the 16th and the last day of each month, both inclusive, the payment term
It will be until the 5th of the second following or immediate business month.

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the inte-
Residents may file, optionally, an appeal for reconsideration before the Director

of the Spanish Agency for Data Protection within a month from
the day after notification of this resolution or directly contentious appeal
administrative before the Contentious-Administrative Chamber of the National Court,
in accordance with the provisions of article 25 and section 5 of the additional provision
Fourth nal of Law 29/1998, of July 13, regulating the Contentious Jurisdiction-

administrative, within a period of two months from the day following the notification
tion of this act, as provided in article 46.1 of the aforementioned Law.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the interested party
do manifests its intention to file a contentious-administrative appeal. Of being

In this case, the interested party must formally communicate this fact in writing
addressed to the Spanish Agency for Data Protection, presenting it through the Re-
Electronic registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or to
through any of the other records provided for in art. 16.4 of the aforementioned Law
39/2015, of October 1. You must also forward the documentation to the Agency

that certifies the effective filing of the contentious-administrative appeal. If the
Agency was not aware of the filing of the contentious-administrative appeal
trative within two months from the day following notification of this
resolution, would terminate the precautionary suspension.

                                                                                    938-131120
Mar Spain Martí
Director of the Spanish Agency for Data Protection



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es