AEPD (Spain) - PS/00433/2021

From GDPRhub
AEPD (Spain) - PS/00433/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 17.01.2022
Fine: 2000 EUR
Parties: n/a
National Case Number/Name: PS/00433/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Paola León

The Spanish DPA fined a tobacco store €2000 for unlawfully publishing a photo of a data subject and their partner on Facebook and Instagram, accompanied by accusations that they were responsible for robberies in the area.

English Summary[edit | edit source]

Facts[edit | edit source]

A data subject filed a complaint with the Spanish DPA (AEPD) against a tobacco shop in Tenerife called Island Meeting Puerto C.B. (the shop) for disseminating their image, as well as that of their partner, on social media networks Facebook and Instagram. The posted images were accompanied with comments by the shop accusing them of several robberies.

The comments attached to the images read as follows:

"These two characters have been stealing from all tobacconists in the north. It never happens...Today it has happened to us again. We'll pay for data protection without problems. But it's okay that these people keep stealing and nothing happens. Where is the safe island where we lived in? Are we waiting for them to rob a bank? They have committed more than 20 robberies”

The AEPD contacted the shop about these allegations and gave them a month to carry out actions to bring its practices into compliance with GDPR, as well as preventing this type of incident from reoccurring. However, no response to this communication was received.

Holding[edit | edit source]

The AEPD considered that the shop violated Article 6(1) GDPR by disseminating the image of the claimant and their partner (accompanied by negative comments and accusations) without their consent.

The AEPD took certain aggravating and mitigating factors into consideration in order to determine how to sanction this violation. Some aggravating elements included the fact that the shop's posting on social networks had the immediate effect of disseminating the claimant's personal data, the fact that two people had been affected by the post, the damage caused not only by the dissemination of images but also of accusations, and the shop's lack of response to the AEPD's request to implement measures to ensure that this practice did not occur in the future.

Regarding the mitigating factors, the AEPD took into consideration that the shop's activity was not linked to any further processing of personal data, that it is a small business, that there is no evidence it had committed a previous offense, and that it had acted negligently but not maliciously.

Based on these considerations, the AEPD issued a €2,000 fine on the shop.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                1/9










     File No.: PS/00433/2021


                RESOLUTION OF PUNISHMENT PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following


                                  BACKGROUND

FIRST: Ms. A.A.A. (hereinafter, the complaining party) dated 05/07/2021
filed a claim with the Spanish Data Protection Agency. The
claim is directed against MEETING PUERTO C.B. with NIF E76518877 (in

hereafter, the party claimed). The grounds on which the claim is based are
following: the dissemination through the social networks Facebook and Instagram of your
image, as well as that of his partner accompanied by comments trying to undermine his
credibility.
 .
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5

December, of Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), in the scope of file E/06473/2021, both on 06/10/2021,
as on 06/22/2021, said claim was transferred to the claimed party for
to proceed with its analysis and inform this Agency within a month of the
actions carried out to adapt to the requirements set forth in the regulations of

Data Protection.

No response to these letters has been received.

THIRD: On 08/23/2021 the Director of the Spanish Protection Agency

Data agreed to admit the claim filed by the claimant for processing.

FOURTH: On 11/19/2021, the Director of the Spanish Protection Agency
of Data agreed to initiate a sanctioning procedure against the defendant, for the alleged
violation of article 6.1 of the RGPD, sanctioned in accordance with the provisions of article
83.5.b) of the aforementioned GDPR and considered for prescription purposes in article 72.1.b)

of the LOPDGDD.

FIFTH: Once the initiation agreement has been notified, the one claimed at the time of this
The resolution has not presented a written statement of allegations, for which reason the
indicated in article 64 of Law 39/2015, of October 1, on the Procedure

Common Administrative Law of Public Administrations, which in section f)
establishes that in the event of not making allegations within the period established on the
content of the initiation agreement, it may be considered a proposal for
resolution when it contains a precise statement about the responsibility
imputed, reason why a Resolution is issued.


SIXTH: Of the actions carried out in this proceeding, they have been
accredited the following:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 2/9








                                 PROVEN FACTS

FIRST: On 05/07/2021 the claimant submitted a letter to the Spanish Agency for

Data Protection, noting that the defendant has spread through the networks
social Facebook and Instagram your image, as well as that of your partner accompanied by
comments trying to undermine your credibility.

SECOND: There is a publication provided on Instagram in which the claimant appears and
His couple; Superimposed on the images is the following comment: “These two

characters have been stealing from all tobacconists in the north. It never happens...
Today it was our turn again.
We pay for data protection without problems.
But it's okay that these people keep stealing and nothing happens.
The safe island where we lived where is it?

Are we waiting for them to rob a bank? They have more than 20 robberies”.


                            FOUNDATIONS OF LAW

                                            I

       By virtue of the powers that article 58.2 of the RGPD recognizes to each
control authority, and according to the provisions of articles 47 and 48 of the LOPDGDD,
The Director of the Spanish Agency for Data Protection is competent to initiate
and to solve this procedure.


                                            II
       Law 39/2015, of October 1, on the Common Administrative Procedure of
the Public Administrations, in its article 64 "Agreement of initiation in the
procedures of a sanctioning nature”, provides:


       "one. The initiation agreement will be communicated to the instructor of the procedure, with
transfer of how many actions exist in this regard, and the interested parties will be notified,
understanding in any case by such the accused.
       Likewise, the initiation will be communicated to the complainant when the rules
regulators of the procedure so provide.


       2. The initiation agreement must contain at least:

       a) Identification of the person or persons allegedly responsible.
       b) The facts that motivate the initiation of the procedure, its possible
       rating and sanctions that may apply, without prejudice to what

       result of the instruction.
       c) Identification of the instructor and, where appropriate, Secretary of the procedure, with
       express indication of the system of recusal of the same.
       d) Competent body for the resolution of the procedure and regulation that
       attribute such competence, indicating the possibility that the presumed

       responsible can voluntarily acknowledge their responsibility, with the
       effects provided for in article 85.
       e) Provisional measures that have been agreed by the body
       competent to initiate the sanctioning procedure, without prejudice to those that

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 3/9








        may be adopted during the same in accordance with article 56.
        f) Indication of the right to formulate allegations and to the hearing in the
        procedure and the deadlines for its exercise, as well as an indication that, in

        If you do not make allegations within the stipulated period on the content of the
        initiation agreement, this may be considered a resolution proposal
        when it contains a precise statement about the responsibility
        imputed.

        3. Exceptionally, when at the time of issuing the initiation agreement

there are not sufficient elements for the initial qualification of the facts that motivate
the initiation of the procedure, the aforementioned qualification may be carried out in a phase
later by drawing up a List of Charges, which must be notified to
the interested".


        In application of the previous precept and taking into account that no
formulated allegations to the initial agreement, it is appropriate to resolve the initiated procedure.

                                             III
        The claimed facts materialize in the publication by the claimed without
legitimation or consent through the social network Instagram of the images of

the claimant and her partner accompanied by unfortunate comments which could
suppose a violation of the regulations on the protection of personal data.

        Article 58 of the RGPD, Powers, states:


        "two. Each control authority will have all the following powers:
rectives listed below:

        (…)
        i) impose an administrative fine pursuant to article 83, in addition to or instead of

        of the measures mentioned in this section, depending on the circumstances.
        tances of each particular case;
        (…)”


        Article 6, Legality of the treatment, of the RGPD establishes:


        "one. The treatment will only be lawful if at least one of the following is met
terms:

        a) the interested party gave their consent for the processing of their personal data

        final for one or more specific purposes;
        b) the treatment is necessary for the execution of a contract in which the
        interested party is a party or for the application at its request of pre-contractual measures
        contractual;
        c) the treatment is necessary for the fulfillment of an applicable legal obligation.

        cable to the data controller;
        d) the processing is necessary to protect the vital interests of the data subject or
        of another natural person;
        e) the treatment is necessary for the fulfillment of a mission carried out in

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 4/9








        public interest or in the exercise of public powers vested in the controller
        of the treatment;
        f) the treatment is necessary for the satisfaction of legitimate interests per-

        guided by the data controller or by a third party, provided that on
        such interests do not override the interests or fundamental rights and freedoms
        data of the interested party that require the protection of personal data, in
        particularly when the interested party is a child.
        The provisions of letter f) of the first paragraph shall not apply to the treatment
ment carried out by public authorities in the exercise of their functions.


        (…)”.

        On this question of the legality of the treatment, the Consideration also affects
40 of the aforementioned RGPD, when it states that «In order for the treatment to be free-

I quote, personal data must be treated with the consent of the interested party or
on some other legitimate basis established in accordance with law, either in the present
this Regulation or by virtue of another Law of the Union or of the Member States to
referred to in this Regulation, including the need to comply with the obligation
law applicable to the data controller or the need to perform a contract
with which the interested party is a party or in order to take measures at the request of the interested party.

resado prior to the conclusion of a contract.»

        Article 4 of the GDPR, Definitions, in section 11, states that:

        “11) «consent of the interested party»: any manifestation of free will, is-

specific, informed and unequivocal by which the interested party accepts, either through a
declaration or a clear affirmative action, the treatment of personal data that
concern”.

        Also article 6, Treatment based on the consent of the affected party,

of the new Organic Law 3/2018, of December 5, on the Protection of Personal Data-
them and guarantee of digital rights (hereinafter LOPDGDD), states that:

        "one. In accordance with the provisions of article 4.11 of the Regulation (EU)
2016/679, consent of the affected party is understood to be any manifestation of will
free, specific, informed and unequivocal by which he accepts, either through a

declaration or a clear affirmative action, the treatment of personal data that
concern.

        2. When the data processing is intended to be based on consent
of the affected for a plurality of purposes it will be necessary to state in a strict way

specific and unequivocal that said consent is granted for all of them.

        3. The execution of the contract may not be subject to the affected party consenting to the
processing of personal data for purposes unrelated to the
maintenance, development or control of the contractual relationship”.


        Therefore, in light of the facts, it is evident that the data processing carried out
carried out by the respondent with the dissemination on Instagram of the image of the claimant
and his partner accompanied by unfortunate comments has been made without cause

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 5/9








legitimizing of those collected in article 6 of the RGPD.

                                             III

        The infraction attributed to the defendant is typified in the article
Article 83.5 a) of the RGPD, which considers that the infringement of “the basic principles
for treatment, including the conditions for consent under the ar-
Articles 5, 6, 7 and 9” is punishable, in accordance with section 5 of the aforementioned article.
Article 83 of the aforementioned Regulation, "with administrative fines of €20,000,000 as
maximum or, in the case of a company, an amount equivalent to 4% maximum

amount of the global total annual turnover of the previous financial year, opting-
I know for the highest amount”.

        The LOPDGDD in its article 71, Violations, states that: “They constitute violations
tions the acts and behaviors referred to in sections 4, 5 and 6 of article 83

of Regulation (EU) 2016/679, as well as those that are contrary to this law
organic”.

        And in its article 72, it considers for prescription purposes, which are: "Infringements
considered very serious:


        1. Based on the provisions of article 83.5 of the Regulation (EU)
2016/679 are considered very serious and the infractions that
entail a substantial violation of the articles mentioned therein and, in particular,
ticular, the following:


        (…)
        b) The treatment of personal personal data without the concurrence of any of the
        the conditions of legality of the treatment established in article 6 of the Re-
        regulation (EU) 2016/679.
        (…)”


                                             IV
        The documentation in the file shows that the defendant violates
Article 6.1 of the RGPD, when proceeding to the dissemination of the image of the claimant and
your partner, accompanied by certain comments, without any legitimizing cause
such as consent or authorization in social networks.


        It should be noted that the GDPR excludes tacit consent and requires that it be
explicit. With the entry into force of the RGPD and the new LOPDGDD, only the
express consent. The most important novelty regarding the consent that
incorporates the RGPD is based is that it must be granted through a clear affirmative act

that evidences a free, specific, informed and unequivocal declaration of will
of the interested party to admit the treatment of personal data that affect him;
that there is not the slightest doubt that there has been manifest will on the part of the
client, giving their express consent to be able to treat their personal data with
the specific purposes detailed in the form.


        The request for consent must be clear and specific, that it does not unnecessarily alter
the use of the service for which it is provided. All this only emphasizes the need
that you expressly consent to the treatment.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 6/9









                                             v
        In order to establish the administrative fine to be imposed, they must observe

The provisions contained in articles 83.1 and 83.2 of the RGPD, which indicate:

        "one. Each control authority will guarantee that the imposition of the fines
in accordance with this article for infringements of these Regulations.
indicated in sections 4, 5 and 6 are in each individual case effective, proportionate
tioned and dissuasive.


        2. Administrative fines will be imposed, depending on the circumstances
of each individual case, in addition to or as a substitute for the measures contemplated
in article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administration and its amount in each individual case will be duly taken into account:


        a) the nature, seriousness and duration of the offence, taking into account the
        nature, scope or purpose of the processing operation in question
        as well as the number of interested parties affected and the level of damages and losses.
        who have suffered;
        b) intentionality or negligence in the infringement;

        c) any measure taken by the controller or processor
        to alleviate the damages suffered by the interested parties;
        d) the degree of responsibility of the data controller or data processor.
        taking into account the technical or organizational measures that have been applied
        under articles 25 and 32;

        e) any previous infringement committed by the person in charge or the person in charge of the treatment-
        I lie;
        f) the degree of cooperation with the supervisory authority in order to remedy
        gave the infringement and mitigate the possible adverse effects of the infringement;
        g) the categories of personal data affected by the infringement;

        h) the way in which the supervisory authority became aware of the infringement, in
        particular if the person in charge or the person in charge notified the infringement and, in such case,
        what extent;
        i) when the measures indicated in article 58, paragraph 2, have been ordered
        previously against the person in charge or the person in charge in question in re-
        relationship with the same matter, compliance with said measures;

        j) adherence to codes of conduct under article 40 or mechanisms
        approved in accordance with article 42, and
        k) any other aggravating or mitigating factor applicable to the circumstances of the
        case, such as financial benefits realized or losses avoided, direct
        or indirectly, through infringement.


        In relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its ar-
Article 76, “Sanctions and corrective measures”, establishes that:

        "two. In accordance with the provisions of article 83.2.k) of the Regulation (EU)

2016/679 may also be taken into account:

        a) The continuing nature of the offence.
        b) The link between the activity of the offender and the performance of treatments

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 7/9








        of personal data.
        c) The profits obtained as a result of committing the offence.
        d) The possibility that the conduct of the affected party could have induced the

        commission of the offence.
        e) The existence of a merger by absorption process after the commission
        of the infringement, which cannot be attributed to the absorbing entity.
        f) Affectation of the rights of minors.
        g) Have, when not mandatory, a data protection delegate.
cough.

        h) The submission by the person in charge or person in charge, voluntarily
        to alternative conflict resolution mechanisms, in those su-
        positions in which there are controversies between them and any interested party.”

        In accordance with the transcribed precepts, and without prejudice to what results from the

instruction of the procedure, in order to set the amount of the sanction of a fine to im-
put in the present case for the infringement typified in article 83.5 of the RGPD of the
that the defendant is responsible, in an initial assessment, they are estimated concurrent
the following factors:

        Aggravating circumstances are:


        The scope of the treatment carried out by the claimed party, since we must not forget
        note that this has been done through the publication on the social network (Insta-
        gram) whose diffusion is immediate.


        Two people have been affected by the offending conduct.

        The damage caused is not only about the dissemination of the images of the
        claimant and his partner but they are accompanied by comments
        for the purpose of discrediting.


        The respondent has not indicated the measures to be established in order to prevent the
        produce incidents similar to the one that occurred, by not having responded to the
        informative request that was sent to you.

        There is no evidence that the defendant had acted maliciously, even though

        negligent behavior is observed.

        They are extenuating circumstances:

        The activity of the offender is not linked to the performance of treatment.

        personal data or there is no record of said link.
        lation.

        The respondent is a small business.


        There is no evidence that he had committed a previous offense.




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 8/9








       Therefore, in accordance with the applicable legislation and having assessed the criteria for
graduation of sanctions whose existence has been proven,


       The Director of the Spanish Data Protection Agency RESOLVES:

FIRST: IMPOSE MEETING PUERTO C.B., with NIF E76518877, for a
infringement of Article 6.1 of the RGPD, typified in article 83.5.b) of the RGPD, a
fine of €2,000 (two thousand euros).


SECOND: NOTIFY this resolution to MEETING PUERTO C.B., with NIF
E76518877.

THIRD: Warn the sanctioned party that he must make the imposed sanction effective once
Once this resolution is enforceable, in accordance with the provisions of the

art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter LPACAP), within the payment term
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, through its entry, indicating the NIF of the sanctioned and the number
of procedure that appears in the heading of this document, in the account

restricted number ES00 0000 0000 0000 0000 0000, opened on behalf of the Agency
Spanish Department of Data Protection in the banking entity CAIXABANK, S.A.. In case
Otherwise, it will be collected in the executive period.

Received the notification and once executed, if the date of execution is

between the 1st and 15th of each month, both inclusive, the term to make the payment
voluntary will be until the 20th day of the following month or immediately after, and if
between the 16th and last day of each month, both inclusive, the payment term
It will be until the 5th of the second following month or immediately after.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the

Director of the Spanish Agency for Data Protection within a month from
counting from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the

Contentious-administrative jurisdiction, within a period of two months from the
day following the notification of this act, as provided in article 46.1 of the
aforementioned Law.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,

may provisionally suspend the firm resolution in administrative proceedings if the
The interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact by
writing addressed to the Spanish Agency for Data Protection, presenting it through

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 9/9









Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registers provided for in art. 16.4 of the

aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the
documentation proving the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal

contentious-administrative within a period of two months from the day following the
notification of this resolution would end the precautionary suspension.




                                                                            Sea Spain Marti
                                 Director of the Spanish Data Protection Agency


















































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es