AEPD (Spain) - PS/00428/2022
|AEPD - PS/00428/2022|
|Relevant Law:||Article 5(1)(f) GDPR|
Article 32 GDPR
Article 83(4) GDPR
Article 83(5) GDPR
|National Case Number/Name:||PS/00428/2022|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
The Spanish DPA fined a Community €1,500 for unduly exposure of personal data to third parties that appeared in a judgement that was placed on a public bulletin board, in violation of Article 5(1)(f) and Article 32 GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
The data subject claims that the Community/condominium, to which he belongs, has posted on a bulletin board, located in a common area (at the entrance of the doorway next to the elevator), a judgement in which his personal data (name, address and information about the judicial process) appears.
Exposure of the document allegedly took place since May 17, 2021 without, at the date of the complaint (July 26, 2021) having being deleted or anonymized despite the clear warning on the document itself for non-dissemination to non-interested parties without prior dissociation of personal data: "it will be contrary to the Law to disseminate non-anonymized Judicial documents that have not been anonymized".
Additionally, on November 24, 2017 the data subject had already filed a complaint against the Community before the AEPD for facts of identical nature. This was processed under procedure A/00001/2018 with a warning result (R/00601/2018) for infringement and a requirement to remove the information improperly exposed.
The Community alleged that on October 13, 2021 it proceeded with the withdrawal of the document exhibited on the notice board.
Holding[edit | edit source]
The Spanish DPA considered that even though the Community is authorized to display personal data in some cases for the management of the community, the notice board must not be placed in a public area of transit easily accessible by any person.
The AEPD highlighted that the data subject had a previous complaint against the Community under proceeding A/00001/2018, concluded with a warning to the Community and an order to remove the (other) document displayed.
AEPD concluded that, based on the evidence, it occurred a personal data security breach, categorized as a breach of confidentiality as the data subject’s personal data was improperly exposed by the Community to third parties, as they appeared in an Decree of Execution of Judicial Titles. Specifically, the information was displayed on a bulletin board in plain view of any person who accesses the building and not only the neighbors.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/11 File No.: EXP202100764 RESOLUTION OF SANCTIONING PROCEDURE From the procedure instructed by the Spanish Data Protection Agency and based to the following BACKGROUND FIRST: Dated July 26, 2021 A.A.A. (hereinafter, the complaining party) On July 26, 2021, he filed a claim with the Spanish Agency for Data Protection. The claim is directed against COMMUNITY OWNERS B.B.B. with NIF ***NIF.1 (hereinafter, the Community). The reasons on which the claim are the following: Claims that the Community, to which the claimant belongs, displays on the bulletin board Locked advertisements, located in a common area, at the entrance to the portal next to of the elevator, a Decree of Execution of Judicial Titles in which the data personal details of the claimant (name and surname). It also informs that the Community was subject to a procedure of warning for the same reason in 2018. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), said claim was transferred to the Community, so that proceed to its analysis and inform this Agency within a period of one month, of the actions carried out to adapt to the requirements provided for in the regulations of Data Protection. The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, of the Common Administrative Procedure of Administrations Public (hereinafter, LPACAP) through electronic notification, was not collected by the person responsible, within the period of making available, being understood as rejected in accordance with the provisions of art. 43.2 of the LPACAP on August 10, 2021, as stated in the certificate in the file. Although the notification was validly carried out by electronic means, it was deemed the procedure has been carried out in accordance with the provisions of article 41.5 of the LPACAP, as Informational copy was sent by post. In said notification, he was reminded your obligation to relate electronically with the Administration, and you will be They reported the means of access to said notifications, reiterating that, as far as Subsequently, you would be notified exclusively by electronic means. Said notification postcard was returned for not being picked up at the Post Office on September 13, 2021, after two attempts to notify the home on different days and times. Reiterating the transfer by the same means, it is notified on October 11, 2021. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/11 No response has been received to this transfer letter. THIRD: On December 2, 2021, in accordance with article 65 of the LOPDGDD, the claim presented by the complaining party was admitted for processing. FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in issue, by virtue of the functions assigned to the control authorities in the article 57.1 and the powers granted in article 58.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and in accordance with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the following points: Facts according to statements by the complaining party: The claimed community, to which the claimant belongs, has posted on the board of advertisements located in a common area (at the entrance of the portal next to the elevator) a Decree of Execution of Judicial Titles in which the name and the surnames of the claimant. The exhibition would have occurred “at least” from the on May 17, 2021 without, according to the claimant, on the date of the claim (26 July 2021) has been deleted or anonymized “despite the clear warning which appears in the document itself: “the dissemination of “Non-anonymized judicial documents.” It states that on November 24, 2017, it already submitted a claim against the Community before the AEPD for acts of the same nature. This was processed under procedure A/00001/2018 with the result of a warning (R/00601/2018) for infringement (article 44.3.d of organic law 15/1999) and requirement for removal of improperly exposed information. The claimant adds that the Community's actions cause her harm because, on the one hand, it informs non-interested third parties about your place of residence, and on the other hand links him to a judicial procedure whose publicity is unjustified, putting into risk your personal data. Likewise, it indicates that it is not clear what the purpose is of such publication of your personal data. Relevant documentation provided by the complaining party: - Copy of the decree of execution of judicial titles of May 12, 2021 in which includes the claimant (name and surname) and the Community as interveners. The side of the decree contains a text warning of non-dissemination to non-interested parties without prior dissociation of personal data. Besides, The operative part includes the text: “Approve in XX.XXX.XX euros the cost of the do what this execution refers to.” - Photographs of the portal in which the decree outlined in the paragraph is displayed previous hanging on the bulletin board located between the staircase and the elevator. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/11 - Copy of resolution R/00601/2018 of procedure A/00001/2018. Date on which the claimed events took place: May 17, 2021 The background information contained in the information systems is as follows: - A prior claim appears in the AEPD information system. filed by the claimant against the Community (registration number 370647/2017) managed within the framework of procedure A/00001/2018. This procedure concluded with the warning of the Community together with the request to remove the document displayed on the notice board object of controversy (R/00601/2018, incorporated herein performances). In addition, information is collected from the following sources: - Writing from the Community registered upon entry into the AEPD on the day February 22, 2022 with number O00007128e2200008332 (hereinafter Writing #1). - Guide “Data Protection and Property Administration” of the AEPD downloaded from your website. The Community states in Document #1 that on October 13, 2021 it proceeded to removal of the document displayed on the notice board that is the subject of the claim. In attention to the withdrawal requests the archiving of the proceedings or, alternatively, a warning sanction. Attach a photograph of a bulletin board to the letter. empty. The “Data Protection and Property Administration” guide of the AEPD includes in the eighth section the following text: “Can personal data be published on the notice board of the Community of owners? The cases in which the exposure of personal data is authorized related to matters derived from community management are specified in the article 9.h) of the LPH. The notice board should not be placed in an easily accessible transit location. by anyone.” FIFTH: On October 21, 2022, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning proceedings against the claimed party, for the alleged violation of Article 5.1.f) of the RGPD and Article 32 of the RGPD, typified in Article 83.4 of the RGPD and Article 83.5 of the RGPD. The initiation agreement was notified electronically to the Community. This is what the article 14.2 of Law 39/2015 on Common Administrative Procedure of the Public Administrations (LPACAP) according to which “In any case they will be C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/11 obliged to interact through electronic means with the Administrations Public for carrying out any procedure of an administrative procedure, to the at least, the following subjects: a) Legal entities.” Work in the file Certificate issued by the Electronic Notification Service and the Enabled Electronic Address of the FNMT-RCM, which records the sending of the initiation agreement, notification from the AEPD addressed to the Community, through that medium being the date of making available in the electronic headquarters of the organization the October 21, 2022 and the automatic rejection date on November 11, 2022. Article 43.2. of the LPACAP establishes that when notification by means electronic devices is mandatory - as is the case in the present case - “it is will be deemed rejected when ten calendar days have elapsed since the date of publication. provision of the notification without accessing its content.” (The emphasis is from the AEPD). Add that articles 41.5 and 41.1, third paragraph, of the LPACAP establish, respectively, that: When the interested party or his representative rejects the notification of a administrative action, it will be recorded in the file specifying the circumstances of the attempted notification and the means, considering the procedure completed and following the procedure. (The emphasis is from the AEPD) Regardless of the medium used, notifications will be valid provided that they allow us to have evidence of its shipment or making available, of the receipt or access by the interested party or his representative, of its dates and times, of the complete content, and the reliable identity of the sender and recipient of the same. The accreditation of the notification made will be incorporated into the file. Likewise, and in addition to the electronic notification, a copy was sent by postal mail. Said postal notification was returned because it was not picked up at the office. of the Post Office on November 8, 2022, after two attempts to notify the address on different days and times, as stated in the Certificate issued by Correos and that is in the file. SIXTH: Article 73.1 of the LPCAP determines that the deadline to formulate allegations to the Startup Agreement is ten days computed from the day following the of the notification. Article 64.2.f) LPACAP - provision of which the claimed party was informed in the agreement to open the procedure - establishes that in case of not carrying out allegations within the stipulated period regarding the content of this initiation agreement may be considered a proposal for a resolution when it contains a statement precise about the imputed responsibility. (The emphasis is from the AEPD). In it In this case, the agreement to initiate the sanctioning file determined the facts in which the imputation materialized, the violation of the RGPD attributed to the claimed and the sanction that could be imposed. Therefore, taking into consideration that the claimed party has not made allegations to the agreement to initiate the file and C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/11 In accordance with the provisions of article 64.2.f) of the LPACAP, the aforementioned agreement initiation is considered in the present case as a proposed resolution. In view of everything that has been done, by the Spanish Data Protection Agency In this procedure, the following are considered proven facts: PROVEN FACTS FIRST: The Community has displayed on the bulletin board located in an area common and transit easily accessible by anyone (at the entrance of the portal next to the elevator) a Decree of Execution of Judicial Titles in which the personal data of the claimant (name and surname and information about a process judicial) and the Community as interveners. At least it has been published since the 17th from May 2021 until October 13, 2021, date on which the Community He claims to have removed it. On the side of the Decree appears a text warning of non-dissemination to non-parties. interested parties without prior dissociation of personal data. Furthermore, the part The device includes the text: “Approve in XX.XXX.XX euros the cost of making the refers to the present execution.” SECOND: A prior claim is recorded in the AEPD information system by the claimant against the Community managed within the framework of the procedure A/00001/2018. This procedure concluded with a resolution warning the Community together with the requirement to withdraw the document displayed on the bulletin board advertisements subject to controversy (R/00601/2018). FOUNDATIONS OF LAW Yo Competence In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." II Previous issues C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/11 In the present case, in accordance with the provisions of article 4.1 of the RGPD, there is the processing of personal data, since the Community carries out, among other treatments, the collection, registration, organization, conservation, modification, consultation, use, deletion of the following personal data of natural persons, such as: name, surname, address, identification number, telephone number etc. The Community carries out this activity in its capacity as data controller, given that he is the one who determines the ends and means of such activity, by virtue of article 4.7 of the GDPR. Article 4 section 12 of the GDPR broadly defines “violations of security of personal data” (hereinafter security breach) as “all those security violations that cause the destruction, loss or alteration accidental or unlawful personal data transmitted, preserved or otherwise processed form, or unauthorized communication or access to said data.” In the present case, there is a personal data security breach in the circumstances indicated above, categorized as a breach of confidentiality when personal data of the claimant having been displayed on a bulletin board in a common area, specifically in the access portal of the property of the Community of Owners, between the stairs and the elevator, therefore in sight of any person who accesses it and not only the neighbors. It should be noted that the identification of a security breach does not imply the imposition of a sanction directly by this Agency, since it is necessary analyze the diligence of those responsible and in charge and the security measures applied. Within the treatment principles provided for in article 5 of the RGPD, the integrity and confidentiality of personal data is guaranteed in section 1.f) of article 5 of the GDPR. For its part, the security of personal data comes regulated in articles 32, 33 and 34 of the RGPD, which regulate the security of the processing, notification of a breach of personal data security to the control authority, as well as the communication to the interested party, respectively. III Article 5.1.f) of the GDPR Article 5.1.f) “Principles relating to processing” of the GDPR establishes: "1. The personal data will be: (…) f) treated in such a way as to ensure adequate safety of the personal data, including protection against unauthorized processing or unlawful and against its loss, destruction or accidental damage, through the application of appropriate technical or organizational measures ("integrity and confidentiality»).” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/11 In the present case, it is clear that the personal data of the claimant (name, surnames and information about a judicial process), were improperly exposed by the Community to third parties, since they appeared in a Decree of Execution of Judicial Titles that was placed by said Community on a bulletin board, locked, located at the entrance to the property (between the stairs and the elevator), a place where any person can pass, whether or not they are the owner of the property being, therefore, an area of public access, which constitutes an access not authorized to said data. This document was exposed from the 17th of May 2021 until October 13, 2021. Article 9.h) of the Horizontal Property Law indicates as the owner's obligation the of “Communicate to whoever exercises the functions of Secretary of the community, for any means that allows proof of receipt, address in Spain for the purposes of summonses and notifications of all kinds related to the community. In the absence of this communication, the address will be considered for summonses and notifications to the apartment or premises belonging to the community, taking full effect legal those delivered to the occupant thereof. If a summons or notification to the owner is attempted, it is impossible to carry it out in the place provided for in the previous paragraph, it will be understood to be carried out by means of the placement of the corresponding communication on the bulletin board of the community, or in a visible place of general use enabled for this purpose, with diligence expressive of the date and reasons why this form of notification is carried out, signed by whoever exercises the functions of Secretary of the community, with the approval good of the President. The notification carried out in this way will produce full legal effects within a period of three calendar days.” In the present case, the presentation of the claimant's data on the board of the community does not comply with the assumptions set forth in the Horizontal Property Law. In accordance with the evidence available, it is considered that the known facts constitute an infringement, attributable to the Community, for violation of article 5.1.f) of the RGPD. IV Classification of the violation of article 5.1.f) of the RGPD The violation of article 5.1.f) of the RGPD implies the commission of the violations typified in article 83.5 of the RGPD that under the heading “General conditions for the imposition of administrative fines” provides: “Infringements of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or, In the case of a company, an amount equivalent to a maximum of 4% of the global total annual business volume of the previous financial year, opting for the largest amount: a) the basic principles for the treatment, including the conditions for the consent under articles 5, 6, 7 and 9; (…)” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/11 In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that “The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result contrary to this organic law.” For the purposes of the limitation period, article 72 “Infringements considered very “serious” of the LOPDGDD indicates: "1. Based on what is established in article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe after three years the infractions that involve a substantial violation of the articles mentioned therein and, in particular, the following: a) The processing of personal data violating the principles and guarantees established in article 5 of Regulation (EU) 2016/679. (…)” V Penalty for violation of article 5.1.f) of the RGPD The balance of the circumstances contemplated in article 83.2 of the RGPD and the article 76.2 of the LOPDGDD, with respect to the infraction committed by violating the established in article 5.1.f) of the RGPD, allows setting a penalty of €1,000 (one thousand euros). SAW Article 32 of the GDPR Article 32 “Security of processing” of the GDPR establishes: "1. Taking into account the state of the art, the application costs, and the nature, scope, context and purposes of the processing, as well as risks of variable probability and severity for people's rights and freedoms physical, the person responsible and the person in charge of the treatment will apply technical and appropriate organizational measures to guarantee a level of security appropriate to the risk, which, if applicable, includes, among others: a) pseudonymization and encryption of personal data; b) the ability to guarantee the confidentiality, integrity, availability and permanent resilience of treatment systems and services; c) the ability to restore availability and access to data personnel quickly in the event of a physical or technical incident; d) a process of regular verification, evaluation and assessment of effectiveness of the technical and organizational measures to guarantee the security of the treatment. 2. When evaluating the adequacy of the security level, particular consideration will be given to takes into account the risks presented by data processing, in particular as consequence of the accidental or unlawful destruction, loss or alteration of data personal data transmitted, preserved or otherwise processed, or the communication or unauthorized access to said data. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/11 3. Adherence to a code of conduct approved pursuant to Article 40 or to a certification mechanism approved pursuant to article 42 may serve as an element to demonstrate compliance with the requirements established in section 1 of the present article. 4. The controller and the person in charge of the treatment will take measures to ensure that any person acting under the authority of the person responsible or in charge and has access to personal data can only process said data following instructions of the person responsible, unless it is obliged to do so by virtue of the Law of the Union or the Member States. In the present case, at the time of the breach, it cannot be said that the claimed had the appropriate measures to avoid the incident, since posted the complainant's personal details on a notice board in an area easily accessible by anyone (at the access portal, between the stairs and the elevator) of the Community property, having also been warned by this Agency in a previous procedure for similar facts, which puts into question evidence that it has not adopted adequate technical and organizational measures to avoid again security incidents like the one that happened. In accordance with the evidence available, it is considered that the known facts constitute an infringement, attributable to the Community, for violation of article 32 of the RGPD. VII Classification of the violation of article 32 of the RGPD The aforementioned violation of article 32 of the RGPD implies the commission of the violations typified in article 83.4 of the RGPD that under the heading “General conditions for the imposition of administrative fines” provides: “Infringements of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or, In the case of a company, an amount equivalent to a maximum of 2% of the global total annual business volume of the previous financial year, opting for the largest amount: a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39, 42 and 43; (…)” In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that “The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result contrary to this organic law.” For the purposes of the limitation period, article 73 “Infringements considered serious” of the LOPDGDD indicates: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/11 “Based on what is established in article 83.4 of Regulation (EU) 2016/679, are considered serious and will prescribe after two years the infractions that involve a substantial violation of the articles mentioned therein and, in particular, the following: (…) f) The lack of adoption of those technical and organizational measures that are appropriate to guarantee a level of security appropriate to the risk of the treatment, in the terms required by article 32.1 of the Regulation (EU) 2016/679. VIII Penalty for violation of article 32 of the GDPR The balance of the circumstances contemplated in article 83.2 of the RGPD and the article 76.2 of the LOPDGDD, with respect to the infraction committed by violating the established in article 32 of the RGPD, allows a fine of €500 (five hundred euros). Therefore, in accordance with the applicable legislation and evaluated the criteria of graduation of the sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE COMMUNITY OWNERS B.B.B., with NIF ***NIF.1, for a violation of Article 5.1.f) of the GDPR, typified in Article 83.5 of the GDPR, a fine of ONE THOUSAND EUROS (1,000 euros). SECOND: IMPOSE COMMUNITY OWNERS B.B.B., with NIF ***NIF.1, for a violation of Article 32 of the GDPR, typified in Article 83.4 of the GDPR, a fine of FIVE HUNDRED EUROS (500 euros) THIRD: NOTIFY this resolution to the COMMUNITY OWNERS B.B.B. FOURTH: Warn the sanctioned person that he must make the sanction imposed effective once this resolution is executive, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter LPACAP), within the payment period voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by entering it, indicating the NIF of the sanctioned person and the number of procedure that appears in the heading of this document, in the account restricted IBAN number: ES00-0000-0000-0000-0000-0000 open in the name of the Agency Spanish Data Protection in the banking entity CAIXABANK, S.A. in case Otherwise, it will be collected during the executive period. Once the notification is received and once enforceable, if the enforceable date is between the 1st and 15th of each month, both inclusive, the deadline to make the payment voluntary will be until the 20th of the following month or immediately following business month, and if The payment period is between the 16th and last day of each month, both inclusive. It will be until the 5th of the second following or immediately following business month. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/11 In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within a period of one month to count from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Data Protection Agency, presenting it through of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registries provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious appeal administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. 938-010623 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es