AEPD - PS/00558/2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1) GDPR Article 83(5)(b) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 08.03.2022 |
Decided: | 28.08.2023 |
Published: | 28.08.2023 |
Fine: | 10,000 EUR |
Parties: | n/a |
National Case Number/Name: | PS/00558/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Mgrd |
The Spanish DPA fined an individual €10,000 for publishing a video of a data subject in a vulnerable situation, without his consent, violating Article 6 (1) GDPR.
English Summary
Facts
In January 2022, the data subject was on a public road with his dog feeling unwell due to the ingestion of alcoholic beverages. When the data subject stopped, an unknown person approached in his car holding his mobile phone from the driver's seat.
Without the data subject’s consent, the driver recorded the data subject on the aforementioned public road for a period of 1 minute and 35 seconds. In the video it is evident that the face of the data subject can be seen, being perfectly recognisable.
Allegedly, the data subject was in very bad physical condition due to the ingestion of alcoholic beverages, holding on to the litter bin. The video has been disseminated and disclosed by the author, and more unknown persons, at first by Whatsapp, both to individual users and Whatsapp groups, but later was published and disseminated by other social networks: Facebook, Instagram, Twitter and YouTube.
In September 2022, it was confirmed that Facebook had removed the video in question.
Holding
The Spanish DPA fined an individual €10,000 for publishing a video of a data subject in a vulnerable situation, without his consent, violating Article 6 (1) GDPR.
In its decision, the AEPD concluded that the respondent disseminated through social networks a video of the data subject, without his consent or any other legal basis for processing of Article 6(1) GDPR, in which he appears in a clearly delicate situation.
In the video, the face of the data subject is visible, which allows him to be clearly identified.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/9 File No.: EXP202204530 RESOLUTION OF SANCTIONING PROCEDURE From the procedure instructed by the Spanish Data Protection Agency and based to the following BACKGROUND FIRST: On 03/08/2022, a claim was entered into this Agency presented by A.A.A. (hereinafter, the complaining party) for a possible non-compliance with the provisions of the data protection regulations staff. The statement of claim is a reproduction of a complaint filed by the complaining party in which it states the following: “Complaint for massive dissemination of video recorded without the consent of the victim, in social networks (Facebook, Instagram, etc.) and WhatsApp. […] FIRST.- On January 6, 2022, around 3 a.m., he was in the ***ADDRESS.1, with his dog (…). My client (…) found himself quite unwell due to the probable ingestion of alcoholic beverages, for which reason it was To stop (…). SECOND.- Subsequently and due to the video that we will now indicate, apparently a unknown person approached with his vehicle driving and with his cell phone from the driver's seat, without the consent of my client, recorded on the aforementioned route public to my represented during a recording period of 1 minute and 35 seconds (…). In it, it is clearly observed how the driver of the vehicle approaches with the vehicle and records my client with evident bad faith, to such an extent that he tells him (he transcribes part of what is said in the video). In the image it is clearly observed how my client was in very poor physical condition as described above, holding on to the trash can. We understand that the attitude of the person who records the video is completely inconsiderate and disproportionate, laughing and mocking D.A.A.A., without any cause, and not even offers to help you in such a situation, omitting all possible help. In the video it is evident that the face of my client can be seen, being perfectly recognizable. My client is not a public person. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/9 THIRD.- The aforementioned video has been disseminated and disseminated by the author, and other people unknown, initially by WhatsApp application both to users in a individual as to whatsapp groups, but it has been published and disseminated through networks social: Facebook, Instagram, Twitter and YouTube; to the point that he has had a repercussion throughout the national territory (...). Links are left of the diffusions of different social networks and of people who have carried out massive dissemination (…) SECOND: On 04/19/2022, in accordance with article 65 of the Law Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), the claim was admitted for processing presented by the complaining party. THIRD: The General Subdirectorate of Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in matter, by virtue of the functions assigned to the control authorities in the article 57.1 and the powers granted in article 58.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and in accordance with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the following points: After having made a request to delete the content still published to the claimed part, on 05/06/2022 and 06/07/2022, the content was only deleted from the address of the social network FACEBOOK ***URL.1. Likewise, on 07/07/2022, issued an agreement to adopt a provisional measure requiring the party requested the removal and blocking of the reported content. In response to the precautionary measure of urgent withdrawal issued on 08/17/2022 to provider of the FACEBOOK social network service, on 09/12/2022 check that the video indicated in the claim is at the internet address ***URL.2 has been removed. FOURTH: On 12/23/2022, the Director of the Spanish Protection Agency of Data agreed to initiate sanctioning proceedings against the claimed party, in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), for the alleged violation of article 6.1 of the RGPD, typified in article 83.5.a) of the RGPD. The initiation agreement was notified to the claimed party by postal mail on 01/17/2023, as stated in the acknowledgment of receipt in the file. Once the period granted for the formulation of allegations has elapsed, this Agency has not received any allegation from the claimed party. FIFTH: On 05/08/2023, the instructor body prepared a proposal for resolution in which it was proposed to sanction the party with a fine of €10,000.00. claimed, for the violation of article 6.1 of the RGPD, typified in article 83.5.a) of the GDPR. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/9 The proposed resolution was notified to the claimed party by postal mail on 06/05/2023, as stated in the acknowledgment of receipt in the file. Once the period granted for the formulation of allegations has elapsed, this Agency has not received any allegation from the claimed party. PROVEN FACTS FIRST: On 01/07/2022 the claimed party publishes on its Facebook profile, under the title “***TITLE.1”, a video of the complaining party, without his consent, in which He appears in an obvious state of intoxication. The duration of the video is one minute and thirty-five seconds. SECOND: On 04/20/2022 it is verified that, of all the links reported by the complaining party, the video object of the complaint is only available in the profile of Facebook of the claimed party. Specifically, in the following addresses of Internet: - ***URL.1 - ***URL.2 THIRD: On 09/12/2022 it is confirmed that META PLATFORMS IRELAND LIMITED (through FACEBOOK SPAIN, S.L.) has removed the video in question from the network social Facebook and, specifically, the links indicated above. FUNDAMENTALS OF LAW Yo Competition and applicable regulations In accordance with the powers that article 58.2 of the RGPD grants to each authority of control and in accordance with the provisions of articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD, The Director of the Agency is competent to initiate and resolve this procedure. Spanish Data Protection. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." II Previous issues Article 4 “Definitions” of the GDPR defines the following terms for the purposes of Regulation: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/9 "1) 'personal data': any information about an identified natural person or identifiable ("the interested party"); Any person will be considered an identifiable natural person whose identity can be determined, directly or indirectly, in particular by an identifier, such as a name, an identification number, data location, an online identifier or one or more elements of identity physical, physiological, genetic, mental, economic, cultural or social of said person;” “2) “treatment”: any operation or set of operations performed on personal data or sets of personal data, whether by procedures automated or not, such as the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, broadcast or any other form of enabling access, collation or interconnection, limitation, deletion or destruction;” In the present case, in accordance with article 4.1 of the GDPR, the physical image of a person is personal data. In this way, its inclusion in web pages, forums, publications, which identifies or makes a person identifiable, involves processing of personal data. II Legality of the processing of personal data The principles that must govern the treatment are listed in the article 5 of the GDPR. In this sense, section 1 letter a), states that: “Personal data will be: a) Treated in a lawful, loyal and transparent manner in relation to the interested party (legality, loyalty and transparency); (…)” The principle of legality is fundamentally regulated in article 6 of the GDPR. The assumptions that allow the processing of personal data to be considered lawful listed in article 6.1 of the GDPR: 1. Treatment will only be legal if at least one of the following conditions is met. nes: a) the interested party gave his/her consent to the processing of his/her personal data. them for one or more specific purposes; b) the processing is necessary for the execution of a contract in which the interested party sado is a party or for the application at his request of pre-contractual measures. them; c) the treatment is necessary for compliance with an applicable legal obligation. ble to the person responsible for the treatment; d) the processing is necessary to protect vital interests of the interested party or of another natural person; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/9 e) the treatment is necessary for the fulfillment of a mission carried out in public interest or in the exercise of public powers conferred on the person responsible of the treatment; f) the processing is necessary for the satisfaction of legitimate interests guided by the person responsible for the treatment or by a third party, provided that said interests do not prevail over the interests or functional rights and freedoms data of the interested party that require the protection of personal data, in particularly when the interested party is a child. The provisions of letter f) of the first paragraph will not apply to the treatment. “action carried out by public authorities in the exercise of their functions.” Likewise, Recital 40 of the aforementioned GDPR provides that “In order for the processing is lawful, personal data must be processed with consent of the interested party or on some other legitimate basis established in accordance with Law, whether whether in this Regulation or by virtue of other Union law or of the Member States referred to in this Regulation, including the need to comply with the legal obligation applicable to the data controller or the need to execute a contract to which the interested party is a party or in order to take measures at the request of the interested party prior to the conclusion of a contract.” In light of the documentation in the administrative file, it is It is evident that the claimed party spread a video of the complaining party, without the legal basis provided for in article 6.1 of the RGPD that legitimizes the processing of your image (expressly indicating the complaining party that does not have his consent), in which he appears in a delicate situation. to the Throughout the minute and thirty-five seconds that the video lasts, it can be seen by completes the face of the affected person, allowing it to be clearly identified. Consequently, in accordance with the evidence available in the present moment of resolution of the sanctioning procedure, it is considered that the Known facts constitute an infringement, attributable to the claimed party, for violation of article 6.1 of the RGPD. IV. Classification and qualification of the violation of article 6.1 of the RGPD The aforementioned violation of article 6.1 of the RGPD implies the commission of the violation typified in article 83.5.a) of the RGPD that under the heading “General conditions for the imposition of administrative fines” provides: “Infringements of the following provisions will be sanctioned, in accordance with the section 2, with administrative fines of a maximum of EUR 20,000,000 or, In the case of a company, an amount equivalent to 4% of the business volume global annual total of the previous financial year, choosing the highest amount: a) The basic principles for treatment, including the conditions for treatment consent under articles 5, 6, 7 and 9; (…) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/9 In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that “The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result contrary to this organic law.” For the purposes of the limitation period, article 72 Offenses considered very “serious” of the LOPDGDD indicates: "1. Based on what is established in article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe after three years the infractions that involve a substantial violation of the articles mentioned therein and, in particular, the following: to) (…) b) The processing of personal data without any of the conditions concurring of legality of the treatment established in article 6 of the Regulation (EU) 2016/679. (…)”. V Penalty for violation of article 6.1 of the GDPR The corrective powers available to the Spanish Agency for the Protection of Data, as a supervisory authority, is established in article 58.2 of the GDPR. Between They have the power to impose an administrative fine in accordance with the article 83 of the RGPD -article 58.2 i)-, or the power to order the person responsible or processor that the processing operations comply with the provisions of the GDPR, where applicable, in a certain manner and within a specified period -article 58.2 d). In the present case, taking into account the facts presented, it is considered that the sanction What should be imposed is an administrative fine. The fine imposed must be, in each individual case, effective, proportionate and dissuasive, in accordance with the article 83.1 of the GDPR. In order to determine the administrative fine to be imposed, to observe the provisions of article 83.2 of the RGPD, which indicates: "2. Administrative fines will be imposed, depending on the circumstances of each individual case, as an additional or substitute for the measures contemplated in the Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administrative and its amount in each individual case will be duly taken into account: a) the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question, as well as such as the number of interested parties affected and the level of damages that have suffered; b) intentionality or negligence in the infringement; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/9 c) any measure taken by the person responsible or in charge of the treatment to alleviate the damages and losses suffered by the interested parties; d) the degree of responsibility of the person responsible or in charge of the treatment, taking into account the technical or organizational measures that have been applied under of articles 25 and 32; e) any previous infringement committed by the controller or processor; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular whether the controller or processor notified the infringement and, if so, in what extent; i) when the measures indicated in Article 58, paragraph 2, have been ordered previously against the person responsible or the person in charge in question in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under article 40 or to mechanisms of certification approved in accordance with article 42, k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through infringement.” For its part, in relation to letter k) of article 83.2 of the GDPR, the LOPDGDD, in its article 76, "Sanctions and corrective measures", provides: "1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation (UE) 2016/679 will be applied taking into account the graduation criteria established in section 2 of said article. 2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 may also be taken into account: a) The continuous nature of the infringement. b) The link between the activity of the offender and the performance of data processing. personal information. c) The benefits obtained as a consequence of the commission of the infraction. d) The possibility that the conduct of the affected party could have included the commission of the offence. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/9 e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity f) The impact on the rights of minors g) Have, when not mandatory, a data protection delegate. h) The submission by the person responsible or in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which "There are disputes between those and any interested party." These are aggravating circumstances: - The nature, severity and duration of the infraction, taking into account the nature, scope or purpose of the processing operation in question, as well as the level of damages they have suffered; the part claimed publishes the personal data of the image of the complaining party, since broadcasts a video of her in a delicate situation mocking, allowing this its unique identification. (art. 83.2.a) RGPD). - The offender's conduct reflects a clear intention to denigrate the party complainant, since he spreads the video through social networks whose diffusion is immediate (art. 83.2.b) RGPD), The balance of the circumstances contemplated, with respect to the infraction committed By violating the provisions of article 6.1 of the RGPD, it allows setting a fine of €10,000.00 (ten thousand euros). Therefore, in accordance with the applicable legislation and evaluated the criteria of graduation of sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE B.B.B., with NIF ***NIF.1, for a violation of article 6.1 of the RGPD, typified in article 83.5.b) of the RGPD, a fine of €10,000.00 (ten a thousand euros). SECOND: NOTIFY this resolution to B.B.B., with NIF ***NIF.1. THIRD: Warn the sanctioned person that he must make the sanction imposed effective once this resolution is executive, in accordance with the provisions of the article 98.1.b) of the LPACAP, within the voluntary payment period established in the article 68 of the General Collection Regulation, approved by Royal Decree 939/2005, of July 29, in relation to article 62 of Law 58/2003, of December 17, through your entry, indicating the NIF of the sanctioned person and the procedure number which appears at the header of this document, in the restricted account number IBAN: ES00 0000 0000 0000 0000 0000 (BIC/SWIFT Code: XXXXXXXXXXXX), open to name of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A.. Otherwise, it will be collected within the period executive. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/9 Once the notification is received and once enforceable, if the enforceable date is between the 1st and 15th of each month, both inclusive, the deadline to make the payment voluntary will be until the 20th of the following month or immediately following business month, and if The payment period is between the 16th and last day of each month, both inclusive. It will be until the 5th of the second following or immediately following business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with article 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within a period of one month to count from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. Finally, it is noted that in accordance with the provisions of article 90.3 a) of the LPACAP, The final resolution may be provisionally suspended administratively if the interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Data Protection Agency, presenting it through of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registries provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious appeal administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the Notification of this resolution would terminate the precautionary suspension. 938-181022 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es