AEPD (Spain) - PS/00491/2020

From GDPRhub
AEPD - PS/00491/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Article 13 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 06.04.2021
Published:
Fine: 8000 EUR
Parties: HIGHCLIFFE ESTATES MARBELLA, S.L.
BUSINESS & LAW PARTNERS
National Case Number/Name: PS/00491/2020
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: Francesc Julve Falcó

The Spanish DPA fined a real estate company €8000 for publishing the name and image of a person without consent, and issued a warning for a violation of Article 13 GDPR regarding its website's privacy policy.

English Summary

Facts

A law firm filed a complaint before the AEPD on 29 July 2020 against a real estate company for failing to comply with the GDPR on its corporate website (www.higclffeestates.com).

The complaint was based:

  1. Firstly, on the lack of information regarding the processing of data collected by the form of the website.
  2. Secondly, on the fact that the image and personal data of one of the partners of the complainant's law firm was displayed without their consent.
  3. Lastly, on the fact that the privacy policy of the company's website made reference to the derogated Data Protection Act from 1999.

Dispute

  • Can the reference to a repealed law in the privacy policy be considered to constitute a breach of Article 13 of the GDPR?
  • Is the publication of a photograph and personal data without the data subject's express consent a violation of Article 6 (1) GDPR?

Holding

The AEPD found that publishing the image of the data subject without his consent was a violation of Article 6 (1) GDPR, and decided to fine the controller €8000.

Secondly, the AEPD decided that the lack of the necessary information and making reference to the derogated Data Protection Act was a violation of Article 13 GDPR and issued a warning to the controller.

The AEPD took into account the following aggravating factors (Article 83 (2) GDPR) to determine the level of the sanction:

  • It is an intentional negligent action (art. 83 (2) (b) GDPR).
  • The AEPD became aware of the infringement through the complainant's filing of a complaint (Art. 83 (2) (h) GDPR).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                 1/6








     Procedure No.: PS / 00491/2020

                RESOLUTION OF SANCTIONING PROCEDURE


In the sanctioning procedure PS / 00491/2020, instructed by the Spanish Agency for
Data Protection, to the entity, HIGHCLIFFE ESTATES MARBELLA, S.L., with CIF .:
B93407872, owner of the website: www.higcliffeestates.com, (hereinafter, “the entity
claimed ”), by virtue of the claim presented by the entity, BUSINESS &

LAW PARTNERS with CIF .: B87322913, (hereinafter, “the claimant entity”), by
alleged violation of data protection regulations, and taking into account the following
following:

                                   BACKGROUND


FIRST: On 07/29/20, the complaining entity sent this Agency a written
claim, indicating, among others:

"It has been known that the website www.higcliffeestates.com does not comply
the regulations on the processing of personal data reflected in the LOPDGDD

and the GDPR. The website lacks a Legal Notice, Privacy Policy and a
acceptance of this policy in the contact form where data from
personal character. Therefore, the treatment that will be given to the data is unknown.
collected ”.


In addition, within the web page, (…) the following link: *** URL.1, as stated
verified. a warning is reached in which the image of one of the
partners of the BUSINESS & LAW office, without their consent ”.

SECOND: In view of the facts presented in the claim and the documents
provided by the claimant, the SG of Data Inspection proceeded to carry out

actions for its clarification, under the protection of the powers of investigation
granted to the control authorities in article 57.1 of Regulation (EU) 2016/679
(GDPR). Thus, dated 10/06/22, an informative request is addressed to the entity
claimed.


According to a certificate from the State Postal and Telegraph Society, the request to send
to the claimed entity, on 10/06/20, through the SICER service, it was returned
to origin with the message of "unknown" on 10/28/20.

THIRD: On 12/17/20 by the Director of the Spanish Agency for

Data Protection an agreement is issued for the admission of processing of the complaint presented.
given by the claimant, in accordance with article 65 of Organic Law 3/2018, of
December 5, Protection of Personal Data and guarantee of digital rights
(LPDGDD), considering that the response given by the complainant to this Agency
In relation to the facts claimed, it does not prove its submission to the current legislation.
people.


FOURTH: by this Agency, checks are made on the Policy of
Privacy, Legal Notice and Cookie Policy of the reported website,
www.higcliffeestates.com, verifying the following characteristics in this regard:

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/6









    - About the processing of personal data on the website:



On the home page, through the link <<contact>>, located at the bottom of the
itself, is redirected to a form, http://www.highcliffeestates.com/en/contact, where
Users' personal data is collected, such as name, telephone number and email.

On the same page where the form is located

http://www.highcliffeestates.com/en/contact, there is the following information about the
responsible for the processing of personal data: - e-mail: info @ highcliffeesta-
tes.com, - Telephone +34 661 869 811.

    - About the "Privacy Policy" of the website:


Through the link << Privacy Policy >>, existing at the bottom of the page
contact details indicated above, as well as at the bottom of the main page,
the web redirects to a new page, http://www.highcliffeestates.com/es/politica-priva-
city, which provides, the identification of the person responsible for data processing
personal, on intellectual and industrial property, the responsibility of the content

nests; Reproduction of content; on the legitimacy of the processing of personal data
sonal and the exercise of user rights; and on the applicable law

    - About the "Cookies Policy" of the website:

On the initial page of the indicated website (first layer), no banner is displayed

to report the use of cookies, however, it is verified that only
uses a session cookie, for technical purposes, as indicated by the entity in its
"Privacy Policy".

    - On the non-consensual treatment of personal data:


Within the web page (…) and following the link: *** URL.1, (…) you can see the
photograph of a person and a "Notice to Local Agencies", warning of the alleged
actions of two people belonging to the complaining entity.

FOURTH: In view of the facts denounced and the evidence observed in the
website, the Director of the Spanish Agency for Data Protection, dated
02/12/21, agreed to initiate a sanctioning procedure against the claimed entity, by virtue of
of the established powers, for failing to comply with the provisions of articles 13 with a
sanction of warning and for violation of article 6.1 of the RGPD with sanction of

8,000 euros.
FIFTH: Notified the initiation agreement, the claimed entity, no

type of allegations to the initiation of file, in the time granted to the effect.

                                 PROVEN FACTS

1.- As stated in the claim, the website www.higcliffeestates.com does not

complies with the regulations on the processing of personal data. Also, inside
of the website, personal images are used without express consent to
this or any other cause that legitimizes the processing of personal data.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/6









2.- As this Agency has been able to verify, on the website in question, you can
collect personal data from users, however, its privacy policy follows

referring to the repealed Organic Law 15/1999, of December 13, on Pro-
Protection of Personal Data (LOPD).

3.- Regarding the non-consensual treatment of personal data, it has been possible to confirm
bar that on the website, through *** URL.1 (…) you can see the photograph of
a person and a "Notice to Local Agencies", warning of the alleged actions

irregularities of two people belonging to the claimant entity.

                            FOUNDATIONS OF LAW

                                             I

The Director of the Spanish Agency is competent to resolve this procedure
of Data Protection, in accordance with the provisions of art. 58.2 of the GDPR in
the art. 47 of LOPDGDD.
                                             II

Article 64.2.f) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, of October 2, 2015, hereinafter LPA-
CAP, provides that:

“The initiation agreement must contain at least: (…)

f) Indication of the right to make allegations and to a hearing in the procedure and
of the deadlines for its exercise, as well as an indication that, in case of not carrying out
allegations within the established period on the content of the initiation agreement, it may
It shall be considered a resolution proposal when it contains a pronouncement
precise about the imputed responsibility. " (the underlining corresponds to the

AEPD).
In the present case, such requirements have been observed, since in the agreement of

at the beginning, the provisions of article 64.2.f) of the LPACAP were specified,
the alleged offense committed together with its corresponding classification, is determined
The amount of the sanction according to the graduation criteria taken into account
account based on the evidence obtained at that date, also reporting on
the planned reductions on the amount set by virtue of the provisions of article

section 85 of the LPACAP.
In consideration of the foregoing and in accordance with the provisions of article
64.2.f) of the LPACAP, the agreement to initiate this file is considered Pro-

Resolution, since it contained a precise pronouncement about the
imputed liability and, after notification in the manner described in the foregoing
in fact fourth, the defendant has not formulated allegations to it within the specified term.
assigned for such purposes.
                                             III

The joint assessment of the documentary evidence in the procedure brings to
knowledge of the AEPD, a vision of the denounced action that has been
reflected in the facts declared proven above related.




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/6








Regarding the "Privacy Policy" of the website, it has been found that it
refers to the repealed Organic Law 15/1999, of December 13, on Protec-
tion of Personal Data (LOPD).


According to article 99 of the RGPD, the entry into force and application of the new RGPD was,
"Twenty days after its publication in the Official Journal of the European Union (05/25/16)"
and it would be applicable as of May 25, 2018 ”. Therefore, as of 05/25/18,
the LO was repealed. 15/1999, (LOPD), applying compulsorily, from that date
date, the current RGPD and as of 12/07/18 the new LOPDGDD.


The known facts could be constitutive of an infraction, attributable to the
claimed, for violation of article 13 of the RGPD, which establishes the information that
must be provided to the interested party at the time of collection of their data
personal.


For its part, article 72.1.h) of the LOPDGDD, considers very serious, for the purposes of
prescription, “the omission of the duty to inform the affected party about the treatment of
your personal data in accordance with the provisions of articles 13 and 14 of the RGPD "

This offense may be punished with a fine of a maximum of € 20,000,000 or,

in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for the
of a higher amount, in accordance with article 83.5.b) of the RGPD.

However, Article 58.2) of the RGPD provides that: “Each control authority

have all of the following corrective powers listed below: b)
sanction any person responsible or in charge of the treatment with warning when
the treatment operations have infringed the provisions of this
Regulation; (…); i) impose an administrative fine in accordance with article 83,
in addition to or instead of the measures mentioned in this section, according to the

circumstances of each particular case ”, therefore, the sanction would be
"Warning."

                                           IV
Regarding the non-consensual treatment of personal data, it has been verified that
there is a publication of a photograph of the interested party and their personal data, according to

claim, without the express consent of the interested party.

The known facts are constitutive of an infraction, attributable to the defendant, for
violation of art. 6.1 of the RGPD, when publishing personal data of the claimant without the
legitimation necessary for it.


For its part, article 72.1.b) of the LOPDGDD, considers very serious, for the purposes of
prescription, "Failure to comply with the requirements of article 6 of the RGPD".

This offense may be punished with a fine of a maximum of € 20,000,000 or,

in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for the
of a higher amount, in accordance with article 83.5.b) of the RGPD.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/6








In accordance with the indicated precepts, in order to set the amount of the sanction to
impose in the present case, the sanction to be imposed should be adjusted in accordance with
the following aggravating criteria established in article 83.2 of the RGPD:


    - The intentionality or negligence in the infringement. In the present case we are
        before intentional negligent action, (section b).

    - The way in which the supervisory authority learned of the infringement. The

        The way in which this AEPD has been made aware has been through the filing of
        the complaint by the claimant, (section h).

The balance of the circumstances contemplated in article 83.2 of the RGPD, with

Regarding the offense committed by violating the provisions of its article 6.1, it allows
set a penalty of 8,000 euros, (eight thousand euros).

In accordance with the above, the Director of the Spanish Agency for the Protection of
Data


                                       RESOLVES:

FIRST: IMPOSE the entity HIGHCLIFFE ESTATES MARBELLA, S.L., with
CIF .: B93407872, owner of the website: www.higcliffeestates.com, a sanction of
"Warning", for the violation of article 13) of the RGPD, and a sanction of 8,000

euros (eight thousand euros), for the violation of article 6.1) of the RGPD.


SECOND: NOTIFY this resolution to the entity HIGHCLIFFE ESTATES
MARBELLA, S.L., and the claimant on the result of the claim.
Warn the sanctioned person that the sanction imposed must be effective once it is

executive this resolution, in accordance with the provisions of article 98.1.b)
of Law 39/2015, of October 1, on the Common Administrative Procedure of the Ad-
Public Ministries (LPACAP), within the voluntary payment period indicated in article
68 of the General Collection Regulation, approved by Royal Decree 939/2005,
of July 29, in relation to art. 62 of Law 58/2003, of December 17, me-

when entering the restricted account number ES00 0000 0000 0000 0000 0000, opened
on behalf of the Spanish Agency for Data Protection in Banco CAIXABANK,
S.A. or otherwise, it will be collected in the executive period.

Received the notification and once executive, if the date of execution is found
between the 1st and the 15th of each month, both inclusive, the deadline for making the vo-
luntario will be until the 20th day of the following or immediately subsequent business month, and if
between the 16th and the last day of each month, both inclusive, the payment term
It will be until the 5th of the second following or immediate business month.

In accordance with the provisions of article 82 of Law 62/2003, of December 30-
of fiscal, administrative and social order measures, this Resolution is

will be made public, once it has been notified to the interested parties. The publication is made-
It will be in accordance with the provisions of Instruction 1/2004, of December 22, of the Agency
Spanish Data Protection Agency on the publication of its Resolutions.

Against this resolution, which puts an end to administrative proceedings, and in accordance with
established in articles 112 and 123 of the LPACAP, the interested parties may interpose
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/6








ner, optionally, appeal for reconsideration before the Director of the Spanish Agency
of Data Protection within a period of one month from the day following the notification

fication of this resolution, or, directly administrative contentious appeal before the
Contentious-administrative Chamber of the National Court, in accordance with the provisions
set out in article 25 and in section 5 of the fourth additional provision of the Law
29/1998, of 07/13, regulating the Contentious-administrative Jurisdiction, in the

or two months from the day following the notification of this act, according to
the provisions of article 46.1 of the aforementioned legal text.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the interested party
do manifests its intention to file a contentious-administrative appeal. Of being
In this case, the interested party must formally communicate this fact in writing
addressed to the Spanish Agency for Data Protection, presenting it through the Re-

Electronic registry of the Agency [https://sedeagpd.gob.es/sede-electronicaweb/], or to
through any of the other records provided for in art. 16.4 of the aforementioned Law
39/2015, of October 1. You must also forward the documentation to the Agency
that certifies the effective filing of the contentious-administrative appeal. If the

Agency was not aware of the filing of the contentious-administrative appeal
trative within two months from the day following notification of this
resolution, would terminate the precautionary suspension.


Mar Spain Martí
Director of the Spanish Agency for Data Protection.

































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es