AEPD (Spain) - PS/00410/2020
|AEPD (Spain) - PS/00410/2020|
|Relevant Law:||Article 6(1)(a) GDPR|
Article 1 Charter of Fundamental Rights of the European Union
Article 10 Spanish Constitution
Article 6 Spanish Civil Code
|National Case Number/Name:||PS/00410/2020|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
The Spanish DPA fined an individual €1500 for sharing personal data related to the sex life of the complainant on a website. The DPA rejected the individual's claim that a BDSM submission contract is a valid form of consent, and a legitimate basis for the publishing of such personal data.
English Summary[edit | edit source]
Facts[edit | edit source]
An individual published, on a website, personal data of another individual related to their sex life, including photographs, notes and sexual references. Following a complaint of the data subject, the Spanish DPA (AEPD) launched an investigation.
The website, as found by the AEPD, belonged to the defendant.
The defendant alleged that the website was meant to be private, and was created as a remembrance of their 7-years relationship after a difficult divorce. Therefore, the household exception should apply. They also alleged that the website did not contain the data subject's surname and that their face was pixelated, and that the personal data was therefore anonymous.
Furthermore, the defendant alleged that they had signed a contract in 2013 in which they consented the dissemination of images, photographs, videos, or any similar content.
This contract, brought in by the defendant, was a BDSM submission contract. The contract contained a clause in which the data subject waived their privacy, giving herself up as a "slave/submissive", and allowed the defendant to showcase anything related to the data subject. The contract also had a clause that allowed any of the parties to terminate it in any moment.
Holding[edit | edit source]
The DPA held, firstly, that the household exception was not applicable. Making reference to the Lindqvist, Rynes, and Jehova's Witnesses CJEU judgments, the DPA alleged that the processing can only be private or domestic when it only affects incidentally the data of third parties. In this case, the processing is not incidental but the main objective of the processing. Additionally, the website was not private but could be accessed by any third party, and therefore the data were made accessible to an indefinite number of people.
Furthermore, the images were not anonymised, as alleged by the defendant, as the data subject was fully recognizable.
Regarding the alleged consent provided in the contract, the DPA concluded that such consent was not valid.
The AEPD mentioned both the Spanish Constitution (CE) and the Charter of Fundamental Rights of the European Union (CFRUE). According to Article 1 CFRUE, human dignity is inviolable and must must be respected and protected. In a similar sense, Article 10 CE states that the dignity of the people, the inviolable rights that are inherent to them, the free development of the personality, and the respect for the law and for the rights of others are the basis of political order and social peace.
In this regard, the Constitutional Court has established that the fundamental right to data protection aims to prevent data processing that is harmful for people's dignity and rights (sentencia 94/1998, de 4 de mayo). It has also said that dignity is a minimum that shall remain unaltered, so no limitations to individual rights may entail a detriment to the esteem that every human being deserves (sentencia 57/1994, de 28 de febrero).
Therefore, according to the DPA, the contract provided by the defendant, in which the data subject waives their privacy, giving herself up as a "slave/submissive", lacks any contractual validity, since human dignity and the right to data protection are basis of political order, against which the contract acts.
This is also sustained by Article 6 of the Spanish Civil Code, that establishes that the waiver of rights is not valid when it subverts public order or harms any thirds parties.
Therefore, given the lack of valid consent for the dissemination of the data subject's personal data, the DPA considered that the defendant had violated Article 6(1)(a) GDPR, and fined them €1500.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/13 Procedure No.: PS / 00410/2020 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following: BACKGROUND FIRST: Mrs. A.A.A. (hereinafter, the complaining party), dated 25 September 2020, filed a claim with the Spanish Agency for the Protection of Data. The claim is directed against Don B.B.B., with NIF *** NIF.1, (hereinafter, the part claimed). The reasons on which the claim is based are the following: Publish on the website *** URL.1 personal data of the claimant without her authorization. tion or consent, including photographs, personal notes, and references reference to their sexual relations with the respondent. Provides position data responsible for this website with which you are in the process of divorce. Which, according to the complainant, took place on the date of: between March 11, 2020 and time of claim SECOND: In view of the facts denounced in the claim and the documents information provided by the claimant / of the facts and documents of which he has had Knowing this Agency, the Subdirectorate General for Data Inspection proceeded to carrying out preliminary investigation actions to clarify the facts in question, by virtue of the investigative powers granted to the authorities des of control in article 57.1 of Regulation (EU) 2016/679 (General Regulation of Data Protection, hereinafter RGPD), and in accordance with the provisions of the Title VII, Chapter I, Second Section, of Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (LOPDGDD). As a result of the investigative actions carried out, it is verified that the responsible for the treatment is the claimed party. As a result of the investigative actions carried out, it is verified that the responsible for the treatment is the claimed one. On October 16, 2020, the reported extremes were confirmed being on the website numerous photographs scattered throughout the site, many personal notes of the claimed and references to its activity sexual. Diligence is generated with screen printing of the "Cover" pages, "Beginnings", "Your notes" and some photos from the Gallery. On October 19, 2020, this Agency agrees to notify the entity Internet hosting of the website precautionary measure of withdrawal of the content reclaimed. On October 20, this entity is notified. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/13 On October 21, 2020 it is verified that the website has been closed. There is no page or document on this website where it is specified the person in charge of the site. However, a search is performed using the WHOIS tool obtaining matching result in name and surname with the claimed, as the owner of the domain "*** URL.1". Made a request for information on the complete ownership data of the domain “*** URL.1” to the public business entity RED.ES, with the date of October 28, 2020 a written reply is received at this Agency sent by RED.ES informing of the data of the owner of the domain resulting be consistent with the data of the claimed. THIRD: On February 25, 2021, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure against the complained party, with according to the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the Pro- Common Administrative Assignment of Public Administrations (hereinafter, LPA- CAP), for the alleged infringement of Art 6.1.a) of the RGPD, typified in Art 83.5 of the GDPR. FOURTH: Once the aforementioned commencement agreement was notified, the claimed party submitted a written allegations in which, in summary, it states the following: 1. That since March 2020 he is the owner of the domain *** URL.1; in that domain have included texts and photographs of the relationship maintained for 7 years with the complaining party, the last two already married. The process of divorce, which was very painful, led him to create the aforementioned page with the hope of remembering the good times and reconciling. This proves it that there are no reproaches or insults. The page was not intended to be visited, rather it was addressed to a single addressee, as it was; lacked interest for third parties. Therefore, the exception of article 4.a) of the LOPDGDD, as it is something personal and domestic. European regulations It was designed for large corporations or companies that make massive use of data. The complaining party may request the withdrawal of information by responsible for its publication, but cannot be penalized for it. I could only Report to the civil courts for violation of privacy and honor. 2. The Agency includes in the initiation agreement, article 4, sections 1 and 2 of the RGPD, forgetting that the publication does not include the surnames of the claim. mante, only his first name, so it is somewhat anonymous. In the post 44 photographs appear, 36 in which they are together or with other people and 8 in which she appears alone, but with a pixelated face. In any case, try Taking pictures of the inner circle, they are to be considered domestic. The Images do not identify or make the complaining party identifiable. 3. If it is considered that article 6 of the RGPD could have been violated, accompany panes a contract signed between both parties in 2013, in which they agree feel in the dissemination of images, photographs or videos in any modality or format. This is stated in point 10 of the contract. The page has been operational rative until the divorce decree was passed; and at no time C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/13 turned to request its cancellation. 4. The following have been taken into consideration when imposing the sanction aggravating factors: a) the nature, severity and duration of the offense, taking into account account of the nature, scope or purpose of the treatment operation of concerned as well as the number of interested parties affected and the level of damages and losses they have suffered; nature and severity that it values subjectively mind the agency, taking into account the duration, which has been short, the limited scope since it has not been disseminated, the purpose that was reconciliation tion. The claimed party has not indicated that damages have been caused I swim. Regarding intentionality or negligence, it must be assessed that they have Pixelated images to avoid recognition by third parties. Shows his disagreement with the aggravating factors applied. The supporting document provided by the claimed party to demonstrate that it counted With the consent of the complaining party, it is called “Submission Contract BDSM ”, in which the complaining party, in use of the powers and giving it value with tractual, is delivered to its master, owner, lord and master (the claimed one), as slave / submissive, giving her all rights over her person. On the other hand, the claimed takes possession of the body and mind of the claimant, considering it his property. Section 10 indicates the following: “I renounce all right of privacy or concealment. If my master decides to exhi- birme before other people I will show myself to them in the terms indicated to me, assuming it can even be face-to-face. This disclaimer includes photographs and videos of myself or myself in any situation or form, accepting that my Master and Lord may show them. If my Lord and Master decide to make public images of me (photographs or videos), in all my acts as your submissive / slave, I will consider you a honor. It is also the power of my Master and Lord to punish me, possess me and submit me publicly to enjoy my full submission " In the “BDSM submission contract”, there is a section on “Termination of the Contra- Submission Agreement ”in which it is indicated: This Contract may be terminated in any- I want a moment for either party. FIFTH: On March 22, 2021, the instructor of the procedure agreed to the opening of a period of practical tests, taking as incorporated the preliminary investigation actions, E / 08354/2020, as well as the documents provided by the defendant, on March 18, 2021. SIXTH: On April 3, 2021, a resolution proposal was formulated, proposing that the Director of the Spanish Data Protection Agency sanction the claimed party with a fine of 10,000 euros, for an infraction of the Article 6.1.a) of the RGPD, typified in Article 83.5 of the RGPD, and qualified as very serious infraction, for the purposes of prescription, by article 72.1.b) of the LOPDGDD. The complained party submitted a brief of allegations, in which it states the following: “Mr. Instructor understands that the legitimate cause of the trafficking is not applicable to the case. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/13 data content contained in article 6.1.b) of the RGPD arguing that, although the contract signed between the parties (document No. 1 provided in previous brief of allegations) could be considered valid for the treatment of images, Said contract was terminated by the claimant herself when requesting the divorce of the claimant. mado. It must be assumed that in order to reach this conclusion, the Article 102 of the Civil Code, which stipulates that one of the effects of the admission of the order of nullity, separation or divorce is the revocation of the consents and rights that either spouse had granted to the other ... In accordance with section 2 of article 2 of Organic Law 15/1999, of December 13, census (LOPD), the personal data protection regime that is established in the Organic Law, the following shall not apply: To files maintained by per- physical activities in the exercise of exclusively personal or domestic activities. Well, in the present case there is no more personal data of the claimant than a series of pixelated photographs, and that implies that there are no surnames, addresses, activities, references or any other element susceptible to knowledge or lawsuit by third parties, which prevents your rights from being affected in any way na way. On the other hand, these are files maintained by a natural person "par- ticular ", so that there has been no professional, commercial or industrial treatment, no company has intervened, and the treatment has been carried out in the exclusive field sive of a personal or domestic activity. As Mr. Instructor points out, article 83.2 of the RGPD provides that when deciding the imposition of an administrative fine and its amount in each individual case shall be will take into account the aggravating and mitigating factors that are listed in said article ass, as well as any other that may be applicable to the circumstances of the case. Regarding the aggravating grounds of law applied to the file In the proposed sanction, the first and literal impact is applied to the duration of the infringement, but the GDPR speaks more specifically of the "continuous nature of the offense ", that is, it refers to the number of occasions in which the defendant has carried out the infringement and, it is the case, that the defendant carried out a single and exclusive publication without additions or other subsequent interventions, so it is updated tion had an isolated character irrespective of which photographs remained They will be on the page for the seven months it was in effect. Regarding intentionality, it does not seem that the Regulation refers to the offender has been done for one or another purpose, as interpreted by the Instructor, but to the existence of negligence or not, so that, although ignorance of the Law does not require compliance, it must be taken into account whether the alleged offender is a It is a physicist that does not process data regularly. The same indeterminacy can be appreciated with respect to the criterion of seriousness of the infraction. tion and, even more so if, as indicated by the instructor, said severity is a function of Damages and losses suffered by the claimant, since the record does not appear to contain the least accreditation in this regard. In any case, the proposed sanction does not comply with the provisions of articles 83.3 and 83.2 of the RGPD inasmuch as it totally dispenses with the principle of proportionality and exclusively to a mere tax collection effort in which a minimum and pru- C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/13 dente examination of the economic circumstances of the alleged offender. The defendant has as his only income what he obtains through his work wage earner who, as can be seen through the payrolls that are attached as do- document no. 1, barely exceeds 1,000.00 euros per month. PROVEN FACTS FIRST: On September 25, 2020, the claimant filed a claim before the Spanish Agency for Data Protection, directed against the claimed. The The reason is the publication on the website *** URL.1, of personal data of the complainant without their authorization or consent, including photographs, personal notes and reference to their sexual relations with the respondent. Provide details of the possible person responsible for this website with which you are in contentious divorce process. Which, according to the claimant, took place on the date of: between March 11, 2020 and the time of claim. SECOND: On October 16, 2020, the reported extremes are verified being on the website numerous photographs scattered throughout the site, many personal notes from the claimed and references to her sexual activity. Diligence is generated with screen printing of the pages "Cover", "Beginnings", "Your notes" and some photos from the Gallery. The screenshots show that, although some attempts have been made photographs its pixelated, the image of the claimant is absolutely identifiable. THIRD: On October 19, 2020, it was agreed by this Agency to notify to the Internet hosting entity of the website precautionary measure of withdrawal of the claimed content. On October 20, it is notified and on October 2020 it is verified that the website has been closed. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), recognizes each Control Authority, and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), the Director of the Agency Spanish Data Protection is competent to initiate and resolve this process. Article 63.2 of the LOPDGDD determines that: “The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of the Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in their development and, as long as they do not contradict them, in a subsidiary, by the general rules on administrative procedures. " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/13 II The physical image of a person, according to article 4.1 of the RGPD, is data personal protection and their protection, therefore, is the object of said Regulation. Article 4.2 of the RGPD defines "treatment" as: "any operation or set of operations carried out on personal data or personal data sets, whether by automated procedures or not, such as collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, broadcast or any other form of authorization of access, collation or interconnection, limitation, deletion or destruction. " The recording and dissemination of images, which identify or make identifiable a person, on social networks or websites, involves data processing personal data and, therefore, the person who does it has to rely on one of the legitimizing causes indicated in article 6 of the RGPD. In these cases, as In the case that is the subject of the claim, the only legitimate cause is usually the consent, in general. And it is the person who records and uploads the images to a website which must demonstrate that it has that consent. In order for this treatment to be carried out lawfully, the following must be fulfilled. established in article 6.1 of the RGPD, which indicates: << 1. The treatment will only be lawful if at least one of the following is met terms: a) the interested party gave their consent for the processing of their data personal for one or more specific purposes; b) the treatment is necessary for the performance of a contract in which the interested is part or for the application at the request of this of measures pre-contractual; c) the treatment is necessary for the fulfillment of a legal obligation applicable to the person responsible for the treatment; d) the treatment is necessary to protect vital interests of the interested party or of another natural person; e) the treatment is necessary for the fulfillment of a mission carried out in public interest or in the exercise of public powers conferred on the person responsible for the treatment; f) the treatment is necessary for the satisfaction of legitimate interests pursued by the data controller or by a third party, provided that on said interests do not prevail the interests or the rights and freedoms fundamental data of the interested party that require the protection of personal data, in particular when the interested party is a child. The provisions of letter f) of the first paragraph shall not apply to the treatment carried out by public authorities in the exercise of their functions. >>. Article 7 of the RGPD establishes, in its first section, the following: “1. When the treatment is based on the consent of the interested party, the person in charge must be capable of demonstrating that he consented to the processing of his personal data ”. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/13 On the other hand, the first section of article 7 of the LOPDGDD specifies how it has if this consent is: “1. In accordance with the provisions of article 4.11 of the Regulation (EU) 2016/679, the consent of the affected party is understood to be all manifestation of free, specific, informed and unequivocal will for which this accepts, either through a declaration or a clear affirmative action, the treatment of personal data concerning him. " III In accordance with the accreditations currently available of the sanctioning procedure, it is considered that the defendant did not obtain a consent valid consent of the claimant for the processing of their personal data that has been found that it occurred when published on the website *** URL. 1 photos, notes personal information and reference to their sexual relations with the defendant of the claimant, once the separation had taken place and the process of contentious vorcio; nor was it legitimized by the contractual relationship that it maintains they had from the moment of the couple's breakup. The known facts could constitute an infringement, attributable to the claim. , due to violation of article 6.1 outlined, as there is no consent to the processing of data processing carried out or any other cause that legitimizes said treatment. In relation to the supporting document provided by the claimed party for prove that he had the consent of the complaining party, we must leave of article 10 of the Spanish Constitution, which states, in its first section that "The dignity of the person, the inviolable rights that are inherent, the free personality development, respect for the law and the rights of others are foundation of political order and social peace ”while the second section adds that “The norms relating to fundamental rights and freedoms that the Constitution recognizes shall be interpreted in accordance with the Universal Declaration of Human Rights and international treaties and agreements on them matters ratified by Spain ”. In this sense, article 1 of the Charter of the Fundamental Rights of the European Union affirms that “Human dignity is inviolable. It will be respected and protected ”. The Constitutional Court indicated in its Sentence 94/1998, of May 4, that Through a fundamental right to data protection, the person is guaranteed the control over your data, any personal data, and over its use and destination, to prevent the illicit traffic of the same or harmful to the dignity and rights of the affected. Previously, in its Judgment 57/1994, of February 28, the Court Constitution had affirmed that “the rule of art. 10.1 C.E., projected on the individual rights, implies that dignity must remain unaltered whichever that is the situation in which the person finds himself, constituting, consequently, an invulnerable minimum that every legal statute must ensure, so that the limitations imposed on the enjoyment of individual rights do not entail a contempt for the esteem that, as a human being, the person deserves ”. Therefore, the human dignity, inviolable, and the fundamental rights that are inherent, among which we find the protection of personal data, are foundation of the political order. In relation to the contract provided by the party claimed, in which the claimant renounces “her privacy” and the protection of her C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/13 image and, in general, to "all rights over his person", surrendering as "Slave / submissive", we must conclude that it lacks any validity contractual. In this sense, article 6 of the Civil Code establishes that the exclusion voluntary of the applicable Law and the waiver of the rights recognized in it only will be valid when they do not contradict public interest or order or harm third parties. In view of what has already been stated, the waiver of these fundamental rights it is considered contrary to public order, which entails its lack of validity. Regarding the allegations of the complained party, referring, firstly, that there is no The RGPD is applied since it applies to the realization of the treatment the exception do- as established in article 2.2 of the RGPD and article 2.2.a) of the LO- PDGDD, the following should be noted: it says to article 2.2 of the RGPD: "two. This Regulation does not apply to the processing of personal data: c) carried out by a natural person in the exercise of activities exclusively- personal or domestic mind ”. This Agency, on the other hand, considers that the action of the person claimed cannot to be included in this exception. To define what is to be considered as treatment of an exclusively personal nature, sonal or domestic, although in this case the application of those precepts without going into that analysis, it is convenient to take into account the CJEU doctrine stated in the Lindqvist, Rynes and Jehovah's Witnesses judgments (STJUE of July 10, 2018, C-25/17). In accordance with these judgments, it can be considered that the CJEU understands, in a general, that the exception of activities of an exclusively personal or do- meticum is to be interpreted in the strict sense, only when the treatment of data affects "incidentally" the private life or intimacy of "other people", different Tasks of the person in charge of the personal data. It is also said by the Tri- It is clear that the character of personal or domestic activities is not exclusively defined as opposed to the dissemination of the data, but rather that such dissemination implies that a processing of personal data related to the private or family life of individuals cannot be considered excluded from the protective regulations, so that There are other cases in which, even when treating personal data of a personal nature or this could not be understood as included within the exception provided for in the article section 2.2 c) of the RGPD. We must not lose sight of what is the processing of personal data that is carried out in the This case consists of the publication and dissemination of images and private notes in a website that could be accessed by third parties. As can be seen, in this case no is that the private life or privacy of another person is "incidentally" affected, but the very object of this data processing is, precisely, the image of the claimed one. That is, the treatment of the personal data of the claimed party whose image is being broadcast against your will is not a mere "incidental" nuisance within a more general data processing, but rather the use of your personal data- it is precisely the goal of treatment for them. Therefore it is not possible to consider in any case that said data processing of the complaining party is merely incidental, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/13 rather, it is a "primary" treatment. The CJEU of July 10, 2018, C-25/17, Jehovah's Witnesses, establishes an inter- pretation about the concept of exclusively personal or domestic activities and it says like this: 42 As the Court has held, Article 3 (2), second indent, of Directive 95/46 must be interpreted in the sense that it only contemplates the activities that fall within the framework of the private or family life of the participants cular. In this regard, it will not proceed to consider that an activity is exclusively personal or domestic care, for the purposes of said provision, when it is intended to allow to an undetermined number of people access to personal data or when ac- tivity extends, even in part, to the public space and is therefore directed out of the private sphere of the person who proceeds to the treatment of the data (see, in this regard, the judgments of November 6, 2003, Lindqvist, C-101/01, EU: C: 2003: 596, paragraph 47; of December 16, 2008, Satakunnan Ma- rkkinapörssi and Satamedia, C-73/07, EU: C: 2008: 727, paragraph 44, and of December 11 of 2014, Ryneš, C-212/13, EU: C: 2014: 2428, paragraphs 31 and 33). The CJEU Judgment of 11/6/2003, “Lindqvist” refers to the assumption of a person physicist, who volunteered in a church as a catechist in Sweden. Is person had created his own web page on the internet, open to anyone, in the who in a humorous tone made reference to his fellow volunteers in the church, revealing their names, phone numbers, hobbies, and in some cases co- He mentioned that a colleague of hers was on leave due to an injury or illness in a foot, which was considered a health data. And it refers to whether this type of action tions would be excluded from the application of data protection regulations if consider exclusively personal or domestic activities, indicating: "30. Ms. Lindqvist maintains that an individual who, in the exercise of his freedom of expression, creates various web pages as part of a non-profit activity or in their leisure time, they do not carry out an economic activity and, therefore, their conduct is not subject to Community law ... 31. The Swedish Government alleges that, by transposing Directive 95/46 into national law, the Swedish legislator consider that the processing, by a natural person, of personal data which consists of transmitting said data to an undetermined number of recipients. rivers, for example, through the Internet, cannot be classified as ≪exclusive activities personal or domestic within the meaning of article 3, paragraph 2, second indent, of Directive 95/46 ... 45. Well, voluntary or religious activities such as those carried out by Mrs. Lin- dqvist cannot be equated with the activities cited in the first indent of the article 3 (2) of Directive 95/46 and, therefore, are not included in that ex- reception. 46 As regards the exception provided for in the second indent of Article 3 (2), of Directive 95/46, in the twelfth recital of the latter, relating to said exception, they are cited as examples of data processing carried out by a person physical activity in the exercise of exclusively personal or domestic activities, the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/13 weighting and keeping a repertoire of addresses. This exception must interpret be considered in the sense that it only contemplates the activities that are part of the the framework of private or family life of individuals; Obviously, this is not the case of a personal data processing consisting of the dissemination of said data via the Internet so that they are accessible to an undetermined group of people. " Therefore, to the activity carried out by the complaining party, the GDPR, as it cannot be considered a personal or domestic activity. Second, the complaining party alleges that it pixelized the images so that they were not identify the claimed. In the documentation that is part of the procedure, The images have been obtained as they appeared published on the reclaimed website. checked, verifying that the claimed is absolutely identifiable in the photographs published fias. IV The violation of article 6.1 of the RGPD is typified in article 83 of the RGPD that, under the heading “General conditions for the imposition of administrative fines, nistrative ”, he points out: "5. Violations of the following provisions will be sanctioned, in accordance with with section 2, with administrative fines of a maximum of 20,000,000 Euros or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the highest amount: a) The basic principles for the treatment, including the conditions for the consent compliance in accordance with articles 5,6,7 and 9. " The LOPDGDD in its article 72.1.b) qualifies this infraction, for the purposes of prescription, as a very serious offense. In determining the administrative fine that should be imposed, the observe the provisions of articles 83.1 and 83.2 of the RGPD, precepts that indicate lan: “Each control authority shall guarantee that the imposition of the administrative fines treaties pursuant to this article for infringements of this Regulation indicated in sections 4, 9 and 6 are in each individual case effective, proportionate nothing and dissuasive. " "Administrative fines will be imposed, depending on the circumstances of each individual case, as an additional or substitute for the measures contemplated in the Article 58, paragraph 2, letters a) to h) and j). When deciding to impose an admissible fine nistrative and its amount in each individual case will be duly taken into account: a) the nature, severity and duration of the offense, taking into account the nature, scope or purpose of the processing operation in question as well as the number of interested parties affected and the level of damages cios that they have suffered; b) intentionality or negligence in the infringement; C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/13 c) any measure taken by the person in charge or in charge of the treatment to alleviate the damages suffered by the interested parties; d) the degree of responsibility of the person in charge or the person in charge of the treatment to, taking into account the technical or organizational measures that have been applied by virtue of articles 25 and 32; e) any previous infringement committed by the person in charge or the person in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to means to the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority learned of the infringement, in particular if the person in charge or the person in charge notified the infringement and, in such case, to what extent; i) when the measures indicated in article 58, paragraph 2, have been ordered previously filed against the person in charge or the person in charge of the relationship with the same matter, compliance with said measures; j) adherence to codes of conduct under article 40 or to mechanisms certification approved in accordance with article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, direct or indirectly, through the infringement. " Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76, “San- corrective measures and actions ”, establishes: "two. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 may also be taken into account: a) The continuing nature of the offense. b) The linking of the activity of the offender with the performance of treatments of personal data. c) The benefits obtained as a result of the commission of the offense. d) The possibility that the affected person's conduct could have led to the commission of the offense. e) The existence of a merger process by absorption after the commission of the infringement, which cannot be attributed to the absorbing entity. f) Affecting the rights of minors. g) To have, when not mandatory, a data protection delegate cough. h) The submission by the person in charge or in charge, on a voluntary basis to alternative conflict resolution mechanisms, in those sub- positions in which there are controversies between those and any interested do." For the purpose of setting the amount of the fine, it is appropriate to propose that put the claimed person for the violation of the RGPD that is attributed to him, it is appreciated that the following factors concur that aggravate the unlawfulness of your duct or guilt: - The nature, severity and duration of the offense, taking into account the nature of the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/13 nature, scope or purpose of the treatment operation in question, as well as the number of interested parties affected and the level of damages that have suffered frido; - The intentionality or negligence in the infringement; The circumstance of the lack of linkage of the act is seen as mitigating tivity of the offender with the processing of personal data. In relation to the claims of the complained party about the aggravating factors applied, there is no doubt about its duration: from the month of March 2020, until October of the same year, when a Data Inspector from the Ins- pection of the Spanish Agency for Data Protection is addressed to the entity of Internet hosting of the website to request its deletion. The severity of the offense must be seen from the objective of the claimant, not the claimed, leaving accredited the damages suffered. On the other hand, it is an intentional action, as indicated by the claimed party, pointing out that his intention was to reverse the situation of separation and regain the claimant. Accompany the claimed part, the payroll of some months of the year 2021. notes that the net salary is around 1,300 euros per month. By proportionality it is usually understood, colloquially, the reduction of the sanction imposed. However, this need not be the case: proportionality stands for adequacy, measure, weighting and balance. Therefore, this principle not only when the excess committed is maintained, but also when that excess is unjustifiably reduced more than it should because in this case the ineffectiveness of the sanction, depriving it of the persuasive effects that it may offer. That is why article 29.3 of Law 40/2015, by regulating the principle of proportionality, uses the expression “due suitability and necessity of the sanction to impose and its adaptation to the seriousness of the act constituting the offense ”. In accordance with the salary of the claimed party, the amount imposed may considered disproportionate, so in application of the principle of proportionality, it is appropriate to reduce it to the amount of 1,500 euros, to maintain the proportionate and at the same time dissuasive character that must be guaranteed with the imposition of administrative fines. Therefore, in accordance with the applicable legislation and the graduation criteria assessed tion of the sanctions whose existence has been proven, The Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE Don B.B.B., with NIF *** NIF.1, for a violation of Article 6.1.a) of the RGPD, typified in Article 83.5 of the RGPD, and classified as a very serious, for the purposes of prescription, by article 72.1.b) of the LOPDGDD a fine of € 1,500 (one thousand five hundred euros). SECOND: NOTIFY this resolution to Mr. B.B.B .. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 13/13 THIRD: Warn the sanctioned person that the sanction imposed by a Once this resolution is enforceable, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on the Administrative Procedure Co- of the Public Administrations (hereinafter LPACAP), within the vo- luntario established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number procedure that appears in the heading of this document, in the account restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Spanish Agency ñola of Data Protection in the banking entity CAIXABANK, S.A .. In case of Otherwise, it will be collected in the executive period. Received the notification and once executive, if the date of execution is found between the 1st and the 15th of each month, both inclusive, the deadline for making the vo- luntario will be until the 20th day of the following or immediately subsequent business month, and if between the 16th and the last day of each month, both inclusive, the payment term It will be until the 5th of the second following or immediate business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the inte- Residents may file, optionally, an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month from the day after notification of this resolution or directly contentious appeal administrative before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the additional provision Fourth nal of Law 29/1998, of July 13, regulating the Contentious Jurisdiction- administrative, within a period of two months from the day following the notification tion of this act, as provided in article 46.1 of the aforementioned Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party do manifests its intention to file a contentious-administrative appeal. Of being In this case, the interested party must formally communicate this fact in writing addressed to the Spanish Agency for Data Protection, presenting it through the Re- Electronic registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or to through any of the other records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also forward the documentation to the Agency that certifies the effective filing of the contentious-administrative appeal. If the Agency was not aware of the filing of the contentious-administrative appeal trative within two months from the day following notification of this resolution, would terminate the precautionary suspension. 938-131120 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es