AEPD (Spain) - EXP202202837

From GDPRhub
AEPD - ps-00107-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Article 83(2) GDPR
§169(1) Criminal Code
§7 LOPDGDD
§76(2)(a) LOPDGDD
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: 5.000 EUR
Parties: n/a
National Case Number/Name: ps-00107-2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Michelle Ayora

The Spanish DPA imposed a fine of € 5.000 on a minor (the controller) for the unlawful processing of the personal data of another minor since the consent was void. The controller was found guilty in a juvenile procedure regarding the same event, however, the DPA considered that there was no identity of facts and ground, therefore, the administrative fine was applicable.

English Summary

Facts

The data subject’s parent submitted a complaint before the Spanish DPA. The defendant and the data subject -both minors- were in contact through Instagram and WhatsApp and in some communications, the data subject sent intimate images. After some time, the defendant asked for more images and, to obtain that, the defendant threatened and blackmailed the data subject by stating that those videos and images will be made public on social media, which made the data subject send more images.

For the above-mentioned facts, the defendant was sentenced by the Juvenile Court.

The Spanish DPA initiated an investigative proceeding for an alleged violation of Article 6(1) of the GDPR.

The defendant claimed the violation of the constitutional principle ‘ non-bis in idem’ since the defendant was already found guilty of threatening in a juvenile criminal proceeding; the lack of disclosure of any of the images sent by the data subject; the illegitimate use of social media by the data subject since they did not have the minimum required age for any of the platforms, combined with the non-compliance of parental obligations by their parents; lack of evidence of psychological or moral damages by the data subject.

Holding

In the first place, the DPA challenged the claim regarding the principle non-bis in idem. The DPA stated the necessary elements to consider sanctioning concurrence, this is, the similarity between subject, facts and ground. In the present case, there is only similarity regarding the subject; however, there is neither a factual identity nor a causal similarity.

About the factual identity, the DPA stated that the juvenile criminal proceeding started and ended due to the violation of Article 169(1) of the Spanish Criminal Code (threatening to the data subject) whereas the present sanctioning proceeding started due to the alleged violation of Article 6(1)(a) GDPR (unlawful processing of data subject’s personal data and void consent).

Regarding the ground or reason, the DPA stated that in the juvenile criminal proceeding, the protected legal good is the right to freedom of choice whereas, in this administrative proceeding, it is the right to have personal data protected.

Secondly, the DPA mentioned that from the text of the GDPR one cannot infer the need for disclosure to make GPDR applicable. In other words, the mere collection, register, and storage of the data subject’s images and videos made by the defendant (controller) are enough reasons to make GDPR applicable.

In third place, the supervisory authority stated the need for a legal basis for the processing. Regarding the consent, since the data subject is a minor, Article 7 of the national legislation is applicable. This foresees that consent is only valid if given by someone over 14 years old; otherwise, the parent’s consent (or another legal representative) is mandatory. In the present case, the minor was 13 years old, therefore, there is a violation of the lawfulness of the processing based on the consent.

Finally, the DPA applied two aggravating circumstances of Article 83.2: (a) The nature scope and purpose of the processing concerned as well as the level of damage for the data subjects, and (b) the intentional character of the infringement, since the defendant threatened the data subject, and this was proven by a judicial sentence. Similarly, the DPA applied one aggravating circumstance contained in Article 76(2)(a) of the national legislation: prejudice to a minor.

On the other hand, the DPA applied the principle of proportionality and individualization of sanctions and considered the defendant’s testimony about the deletion of the images and videos, thus stopping the processing of such data.

For those facts, the DPA imposed a fine of € 5.000 and ordered the defendant to delete any other personal data regarding the data subject and requested a report to the Agency about the measures adopted to do so.

Comment

In Spain, the administrative law allows minors over 14 years old to be administratively sanctioned for violations of such laws, in those cases, their parents become responsible for the payment (indirect liability) as explained by the DPA on this brochure: https://www.aepd.es/es/documento/responsabilidad-menores-padres-madres.pdf

Legal source: Article 3 LPAC (https://www.boe.es/buscar/act.php?id=BOE-A-2015-10565)

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/18








     Procedure No.: PS/00107/2022 (EXP202202837)

                 RESOLUTION SANCTION PROCEDURE


By Agreement dated 03/11/22, the sanctioning procedure was initiated,
PS/0107/2022, instructed by the Spanish Data Protection Agency before D.
A.A.A., by virtue of the claim presented by D. B.B.B., on behalf of its
minor daughter, for the alleged violation of the regulations for the protection of
Data: Regulation (EU) 2016/679, of the European Parliament and of the Council, of

04/27/16, regarding the Protection of Physical Persons with regard to the
Processing of Personal Data and the Free Movement of these Data (RGPD), and
violation of Organic Law 3/2018, of December 5, on Data Protection
Personal Rights and Guarantee of Digital Rights (LOPDGDD), and based on
the following:


                                  BACKGROUND

FIRST: On 03/02/22, you have an entry in this Agency, writing presented by
the claimant, in which he indicated, among other things, the following:


       "In the court ruling it is described how the defendant threatened and blackmailed
       my underage daughter to send her sensitive images via chat
       Instagram and WhatsApp. Through Instagram communications begin on
       10/15/19 at 23:20 and by WhatsApp the communications that are preserved
       They are as of 01/02/20.”


Along with the claim document, provide the data and dates of the Instagram accounts
and WhatsApp and telephone numbers of the defendant and his underage daughter.

A copy of Judgment No. XX/02020 of Juvenile Court No.

(...).- Reform File number XXX/2020 (Prosecutor's Office number XXX/2020), where
The following is stated in the “Proven Facts” of the Judgment:

       That the defendant, browsing the Instagram application, met the minor
       of age (Claimant's daughter) aged 13, entering into such a close relationship
       of confidence that the minor sent him videos and photos of an intimate nature,

       both through the Instagram application and through WhatsApp.

       That, after some time, the defendant demanded that the girl follow him
       sending photos and videos, but since she refused, the defendant intimidated her
       telling him that he would upload the photos and videos he already had to social media.


       That the minor, fearful of her threats, sent (...).

SECOND: On 03/09/22, by the Director of the Spanish Agency for
Protection of Data, an agreement is issued to admit the processing of the claim

presented by the claimant, in accordance with article 65 of the LOPDGDD Law,
when assessing possible rational indications of a violation of the rules in the field
of the powers of the Spanish Data Protection Agency.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/18








THIRD: On 03/11/22, by the Board of Directors of the Spanish Agency for
Data Protection, sanctioning procedure begins when appreciating indications
reasonable violation of the provisions of article 6.1 of the GDPR, imposing

an initial penalty of 10,000 euros (ten thousand euros).

FOURTH: Once the initiation agreement has been notified to the claimed person, the latter by means of
brief dated 04/06/22 made the following allegations:

       "PREVIOUS. - Go ahead that at the time of the facts my

       represented was a minor, and was 16 years old, without even
       He will not even be forced to delete the videos that are the object of litigation because in his
       statement stated that they had been deleted and that inferring to the minor that
       send him more videos because if he didn't post them on the internet it was and was for what
       has been sentenced, that is to say for that conditional threat requiring more

       videos, insisting that they were deleted.

       VIOLATION OF THE CONSTITUTIONAL PRINCIPLE "NON BIS IN IDEM"

       The defendant was convicted criminally in the referenced File of
       Reform as author of a crime of conditional threats, in accordance

       between the parties the measure of four months maximum of socio-educational tasks,
       oriented to a sexual affective program and gender perspective.

       This fundamental right is recognized in art. 18.4 C.E. is the one
       is violated. Said article provides that "The Law shall limit the use of the

       information technology to guarantee the honor and personal and family privacy of the
       citizens and the full exercise of their rights". According to repeated
       jurisprudence of the Constitutional Court, article 78.4 EC contains a
       institute for the guarantee of the rights to privacy and honor, and to full
       enjoy the remaining rights of citizens, and therefore also, "the

       fundamental right to data protection, understood as the right to
       freedom from potential attacks on the dignity and freedom of the
       person from an illegitimate use of the automated treatment of
       data, what the Constitution calls "informatics". (STC 290/2000 of 30
       November, in its Fundamental'7"; SRC 743/7994' of May 9 in its
       Foundation J"; STC 17/7998 of January 13, in its Foundation 4").


       The constitutional and legal configuration of the fundamental right to protection
       of data (specifically through the Organic Law on Data Protection)
       confers on its holder a series of powers to guarantee its protection, and Ie
       gives peculiarities in its content, which distinguishes it from others since

       confers on its owner a series of powers consisting of imposing on third parties,
       certain legal duties, which, for example, are contained in the law
       fundamental to privacy, that is, "guarantees the person a power of
       control over your personal data", which is only possible and effective
       imposing on third parties certain duties to do (namely: the right to

       that prior consent is required for the collection and use of data
       personal information, the right to know and be informed about the destination and use of the
       data, and the right to access, rectify and cancel said data. to avoid
       this type of interference, the LOPD grants the Spanish Agency of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/18








       Data Protection the protective and preventive nature of such rights, to
       ensure, through its exercise, the safeguarding and ensuring the right
       fundamental to the protection of said personal rights in relation to the

       limits, to the use of computing.

       The Spanish Data Protection Agency, after completing the proceedings
       previous inspection carried out since the month of May, has given transfer
       the final inspection report to the Investigating Court No. XX of Madrid, and
       has launched a disciplinary procedure, which is suspended

       until the resolution of the criminal judicial procedure given the pendency of the
       same, as provided for in the Administrative Procedure legislation.

       The criminal process will question the sanctioning reaction of the AEPD in due course,
       since the judicial resolution that is definitively handed down in the criminal process

       will condition its action as a consequence of respect for the non bis principle
       in idem, included in article 25.7 of the Constitution, which constitutes a
       true fundamental right of the citizen in our Law.

       The "non bis in idem" principle has a double dimension, as explained by the
       STC 188/2005, of July 7:


       a) Material or substitute that prevents sanctioning the same fact with the same
       same disproportionate punitive.

       b. The procedural or formal, which proscribes the duplication of procedures

       sanctions in case there is a triple identity of subject, fact and
       foundation, and which has as its first concretion "the rule of preference or
       precedence of the criminal judicial authority over the Administration with respect to
       its performance in disciplinary matters in those cases in which the facts
       to sanction may be, not only constituting an administrative infraction, but also

       also crime or misdemeanor according to the Penal Code. Therefore, it will be necessary
       determine whether both in the criminal procedure and in the procedure
       sanctioner there is total identity, or on the contrary, there is some element
       novelty that excludes the application of the Principle.

       The ECHR did not begin to consider the question of the criminal characterization of

       a procedure with the first application of art. 4, but had already entered
       to assess these disquisitions on the occasion of the application of the guarantees of the
       art. 6 of the Convention relating to fair trial. First, you enter
       to consider the classification of the offense and its sanction by law
       national. In the event that domestic law classifies these as criminal or

       criminals, will automatically be classified as such for the purposes of the convention.

       TWO.- LACK OF PUBLICATION TO THIRD PARTIES OF ANY
       THE VIDEOS THAT THE MINOR (14 YEARS OLD) SENT TO THE MINOR (16 YEARS OLD)
       YEARS).


       There is no evidence whatsoever, with which it can be determined that the data of
       personal nature in terms of videos sent some voluntarily by the
       minor through the INSTAGRAM and WHATSSAP applications, have been

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/18








       disclosed to third parties and not only that there is no proof that said
       personal data have not been disclosed to third parties, but rather
       stated that said videos had been deleted and that those sent without

       consent of the minor are exclusively due to criminal reproach
       suffered with the Judgment that, according to the complainant, contributes to his
       written complaint, in addition to the ignorance of the age of the minor, but
       for whose acts he was sentenced for conditional threats, threats
       that were based not on the own sending of said vices but on the demand
       that could be carried out for the minor, regarding the person who was also a minor.


       THIRD.- REGARDING THE CONSENT OF THE MINOR, THE
       ILLEGITIMATE USE BY THE LESSER OF THE NETWORKS
       SOCIAL, BREACH OF PARENTAL OBLIGATIONS OR
       IMPLIED CONSENT FOR THE USE OF NETWORKS

       SOCIAL COMPANIES THAT DO NOT REPORT THEIR APPS TO MINORS.

       The Royal Decree 1720/2001, of December 27, which approves the
       Regulations for the development of Organic Law 15/1999, of December 13, of
       protection of personal data, literally says:


       Section 1 Obtaining the consent of the affected party

       Article 12. General principles.

       1.- The data controller must obtain the consent of the

       interested personal character unless required in accordance with the treatment
       of your data itself from in no to those cases in which the Io provided in
       laws. The request for consent must refer to a treatment or
       series of specific treatments, with delimitation of the purpose for which they are
       collects, as well as the remaining conditions that occur in the treatment

       or series of treatments.

       2.- When the consent of the affected party is requested for the assignment of their
       data, he must be informed in such a way that he knows unequivocally the
       the purpose for which the data will be used with respect to whose communication
       requests the consent and the type of activity carried out by the assignee.

       Otherwise. consent will be void.

       3.- The person responsible for the treatment will be responsible for the existence of the
       consent by any means of evidence admissible by law.


       Article 13. Consent for the treatment of data of minors.

       1.- The data of those over fourteen may be processed
       years with your consent, except in those cases in which the Law requires
       for its provision the assistance of the holders of parental authority or guardianship.

       In the case of minors under fourteen years of age, the consent of
       parents or guardians.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/18








       2.- In no case may data be collected from the minor that allows obtaining
       information about the other members of the family group, or about the
       characteristics thereof, such as data relating to the professional activity of

       parents, economic information, sociological data or any other
       others. In no case may data be collected from the minor that allows obtaining
       information about the other members of the family group, or about the
       characteristics of the same, such as the data related to the professional activity of
       parents, economic information, sociological data or any
       others, without the consent of the owners of such data. However, they may

       collect the identity and address data of the father, mother or guardian with the
       sole purpose of obtaining the authorization provided for in the previous section.

       3.- When the treatment refers to data of minors, the
       information addressed to them must be expressed in a language that is

       easily understandable by those, with express indication of the provisions
       in this article.

       4.- It will correspond to the person in charge of the file or joint treatment the
       procedures to ensure that the correctness of the
       age of the minor and the authenticity of the consent given in his case, for

       parents, guardians or legal representatives.

       Article 14. Form of obtaining consent.

       1.- The controller may request the consent of the

       interested party through the procedure established in this article, except
       when the Law requires the same to obtain express consent for the
       treatment.

       2.- The person in charge may address the affected party, informing him in the terms

       provided for in articles 5 of LO 15/1999, of December 13 and 12.2 of
       this regulation and must grant them a period of thirty days to express
       refusal to treatment, warning him that in case of ruling to such
       effect, it will be understood that you consent to the processing of your personal data
       staff.


       In other words, in Instagram's own conditions of use you can
       clearly read what is the minimum age to create a profile on Instagram
       just like WhatsApp.

       But of course, made the Law cheated. If a preteen under the age of 14

       years old, you want to create a profile on Instagram, all you have to do is vary a few
       numbers of your date of birth.

       There is also the issue of parental control, that is, if our inferior son or daughter
       14 year old wants an Instagram profile, we can create it with our

       authorization and then activate parental control, which we understand that this must
       be the case... right?... Without the existence of consent being controversial
       express of a minor under 13 years of age from an Instagram and WhatsApp account.
       Who has consented for the minor to have an account on Instagram and on

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/18








       WhatsApp? Parents? , Who has bought the mobile to the minor? , the
       fathers? , because the parents do not report, activate or control what their
       13 year old daughter with a mobile.


       The defendant has responded with respect to criminal justice. Parents shouldn't
       to answer anything regarding their parental obligations?

       At the most favorable point for parents.... Consequently, is the
       tacit consent? That is, that consent has been obtained by

       writing and that this has not been expressly stated (although neither
       YOUR opposition) what is understood that there is authorization for it, since it is not
       there is evidence against the fact that the parents were unaware that their daughter was not
       had the Instagram or WhatsApp applications, or documented
       that he fences without hesitation, the express opposition to his daughter having Instagram.


       Is there that tacit consent of the person who holds parental authority, for
       application of Article 14.2 of the Regulation?

       Are parents responsible for non-compliance with Article 154 of the Code
       Civil, insofar as this is defined as ... Parental authority, as

       Parental responsibility will always be exercised in the interests of the sons and daughters, in
       accordance with their personality, and with respect for their rights, their integrity
       physical and mental... this is also being breached by the parents, they must
       Does the Social Services have knowledge of said individual?


       Instagram prevents adults from sending private messages to people
       under 18 if they are not followed. In this way, if an adult pretends
       write to a teenager, a notification will come that it is not possible to send him
       a Direct Message.


       As for WhatsApp, its security and privacy positioning is still
       more severe and says: ...About the minimum age to use WhatsApp

       If you reside in a country of the European Economic Area (including the Union
       Union) or in any other country or territory that is part of it

       (collectively referred to as the European Region), you must be at least 16 years of age (or
       more, if required by the legislation of your country) to register in WhatsApp.

       If you reside in a country that does not belong to the European Region, you must have at
       least 13 years (or more, if required by the legislation of your country) to

       register in WhatsApp and use the service.

       For more information, see our Terms of Service.
       Note:
       Creating accounts with false information constitutes a breach of
       our Conditions.


       The registration of accounts on behalf of other minors also
       constitutes a breach of our Conditions. report a minor
       age

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/18









       If a minor in your care created a WhatsApp account, you can show them
       how to remove it For information on how to delete an account,

       Check out our Help Center.

       If you want to report an account that belongs to a minor, please,
       send us an email. In your email, provide the
       following documentation and delete or hide any personal information not
       related:

       Proof that the WhatsApp number belongs to you (for example, a copy of a
       government-issued ID and a phone bill
       with the same name) Proof that you are the minor's legal representative (for
       example, copy of the child's birth or adoption certificate)


       Proof of the minor's date of birth (for example, a copy of the certificate
       of birth or adoption of the minor)

       If we can verify that the WhatsApp account belongs to a minor
       old, we will deactivate it immediately. You will not receive any confirmation of

       this action. Our ability to review and take action
       about a report is greatly improved if you provide us with all
       information that we just requested.

       If we cannot verify that the reported account belongs to a minor, it is
       we may not be able to take action on it. case, if you are not

       representative of the minor, we recommend that you encourage the person representing him to
       that you contact us using the instructions described above.

       A question that their own parents never did. The already claimed
       responded regarding the more punitive justice such as criminal justice, should they

       answer the parents of the minor regarding their obligations that typify the
       parental authority of 154 of the Civil Code? Should an investigation be initiated into
       through social services about whether parents do not comply with their
       obligations and consequently the minor must be protected?


       FOURTH.- SCOPE OF THE PSYCHOLOGICAL OR MORAL DAMAGE SUFFERED BY
       THE MINOR.

       There is no accredited psychological or moral damage in the criminal procedure
       nor is there evidence of civil liability attributable to the defendant. By
       all of it,


       I REQUEST THE DIRECTOR: That she consider this document presented, as
       admit, so that, after the appropriate legal procedures, the ARCHIVE proceeds,
       of this file for all the arguments put forward in the body of the
       this document, and all this prior to the practice of the evidence requested

       in the body of this document:




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/18








       - That, as means of proof, it is requested that the Court of
       Minors (...) to send a complete and witnessed copy of the Record of
       Reform No. XXX/20.


       -That the company Instagram S.L. located in Finca la Vaqueria. crta
       Belvis del Jarama k, MADRID, to provide supporting documents of the
       privacy policy and also that it be provided, upon request to the
       parents of the minor of the name of his Instagram profile as well as the
       parental consent for use by the

       minor, or if in his case the data was falsified in order to create a
       Instagram at only 13 years old.

       -That it be officiated at the WhatsApp Inc company, with smb email
       web@support.whatsapp.com and tax address at 1601 Willow Road (MenIo

       Park of California 94025 ), to provide supporting documents of the
       privacy policy and also that it be provided, upon request to the
       parents of the minor of the phone associated with WhatsApp as well as the
       parental consent for use by the
       minor, or if in his case the data was falsified in order to create a
       Instagram at only 13 years old.


       - That the parents of the minor are required to provide the invoice
       Telephone purchase of the telephone or the telephone bill to which your
       associated phone to open said apps and justify that they were
       knowing that his daughter was the owner of said mobile phone.


       .- That the parents of the minor be required to contribute a single
       indication about the transmission to third parties of the videos of sexual content that
       allegedly the defendant has spread on the Internet.


       .- That the Juvenile Court of (...) be required to report on the
       measures or socio-educational plan that my principal is studying and he barely
       there are a few days left for compliance and consequently said report is not
       has at disposal.

       ANOTHER I SAY: This part anticipates the nullity of full-fledged Actions

       for depriving my principal of the right of defense and not officiating or requesting or putting
       implement the requested measures.

FIFTH: On 07/27/22, the claimant is notified of the proposed resolution in
which responded to the allegations raised and proposed that, due to the

Director of the Spanish Data Protection Agency proceed, in accordance with
the provisions of articles 63 and 64 of Law 39/2015, of October 1, of
Common Administrative Procedure of Public Administrations (LPACAP), to
impose a penalty of 10,000 euros (ten thousand euros) on the defendant, for the infringement
of article 6.1 of the GDPR and that it proceed to order, as a measure, the

suspension of all processing of personal data relating to the girl, minor and
deletion of said data, in accordance with the provisions of art. 69 of the LOPDGDD.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/18








SIXTH: Once the proposed resolution was notified to the claimant on 07/27/22, the
dated 08/12/22, in this Agency writing of allegations to the proposal of
Resolution that is an identical reproduction of the one presented against the initiation agreement

of the present proceeding and which is reproduced in its entirety above.

                                PROVEN FACTS.

Of the actions carried out in this procedure and of the information and
documentation submitted, the following circumstances have been accredited:


First: As can be seen from Judgment No. XX/02020 of the Juvenile Court
Nº (…) (Reform File number XXX/2020), the defendant demanded from the girl,
underage, to continue sending her photos and videos, but since she
denied, he intimidated her by telling her that he would upload the photos and videos that he already had to the networks

social. Despite his opposition and refusal for the defendant to continue obtaining photos
and intimate videos of her, fearful of her threats, she sent (...) with
images of you to the claimant.

                           FUNDAMENTALS OF LAW


                                           YO-
                                     Competition.

It is competent to initiate and resolve this Disciplinary Procedure, the Director of
the Spanish Data Protection Agency, by virtue of the powers that art 58.2

of the GDPR recognizes the control authority, as well as what is established in arts. 47,
64.2 and 68.1 of the Law, LOPDGDD.
                                          II.-
    On the allegations presented to the proposed resolution of the file
                                     sanctioning.


As a preliminary matter, it is stated that for the Resolution of this
disciplinary proceedings have taken into account the allegations presented by the
claimed throughout the entire procedure and that, in order not to repeat itself, considers them
reproduced.


However, before assessing the offense committed in this case, it must be
make the following considerations regarding the allegations presented to the
resolution proposal:

       On the concurrence of the principle "non bis in idem":


This principle, developed in article 31.1 of Law 40/2015, of October 1, on
Legal Regime of the Public Sector (LRJSP), "Concurrence of sanctions", establishes:

       "1. Acts that have been criminal or

       administratively, in the cases in which the identity of the subject is appreciated,
       fact and foundation.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/18








And it has the task of guaranteeing the “favor libertatis”, that is, guaranteeing freedom by contributing
legal certainty to the process, through the prohibition, in our case, of the
application of an administrative sanction in those cases in which, to the same

subject, for carrying out a certain act, a criminal sanction could be imposed. EITHER
which is the same, the prohibition of the imposition of a double penal sanction-
administrative, in those cases in which there is identity of subject, fact and
basis.

Its application is subsequent to the sanction of a first event that has already been sanctioned,

worth the redundancy, in criminal proceedings. However, a problem arises when a
fact injures two different legally protected assets, in this case it is
administrative sanction together with the criminal one. Therefore, in order for you to operate this
In principle, the following elements must be present:


    - Subjective identity: in this case the affected subject always has to be the
       itself, regardless of the nature, the body that has resolved, the
       accuser or if there is concurrence or not of others affected.

    - The factual identity: this implies that the facts prosecuted must be the
       themselves.


    - Causal identity: sanctioning measures cannot apply if
       They respond to the same nature.

Well, in our case, regarding the Identity of subjects, we can verify

as in Judgment No. XX/2022 of the Juvenile Court (...) (Exp. De Reforma No.
XXX/2020.- Prosecutor's Office No. XXX/2020) dated 01/25/22, appears as the author of the facts
prosecuted, the defendant, and in this disciplinary file (PS/107/2022),
appears as responsible, the same person, so we can indicate that there is, in
In this case, identity of subjects.


Regarding the identity of the facts, if we read the Ruling of Judgment No. XX/2022 of the
Juvenile Court (...) (Reform Case No. XXX/2020.- Prosecutor's Office No. XXX/2020) of
dated 01/25/22, as a socio-educational measure is imposed on the claimant for a
crime of conditional threats, which occur when the evil with which
threat carries with it a condition, which may or may not be fulfilled and the

imposed condition may be legal or illegal and it may consist of the
claim of an amount or any other circumstance, as established in the
Article 169.1 of the Penal Code:

       "Whoever threatens another with causing him, his family or other persons with

       which is closely linked to an evil that constitutes crimes of homicide,
       injuries, abortion, against freedom, torture and against moral integrity, the
       sexual freedom, privacy, honor, heritage and socioeconomic order,
       He will be punished:


       1st With a prison sentence of one to five years, if the
       threatens by demanding an amount or imposing any other condition,
       even if it is not illegal, and the culprit has achieved his purpose. Not


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/18








       achieve it, a prison sentence of six months to three years will be imposed. but
       this must be possible (…)”,


       While the present sanctioning procedure (PS/0107/2022), begins
       for an alleged illegal treatment (without consent) of the personal data of the
       girl, minor, contemplated in article 6.1 GDPR:

       "1. Processing will only be lawful if it meets at least one of the following
       conditions:


       a) the interested party gave his consent for the processing of his data
       personal for one or more specific purposes (…);

Therefore, in this case, as we could verify, there is no identity in the

facts to which the principle of "non bis in idem" obliges, since in criminal proceedings
sanctioned a conditional threat to the underage girl and in the present
sanctioning administrative procedure is sanctioning an illegal treatment of
the girl's personal information.

Lastly, the identity of the foundation occurs when the legal right protected

for the two (or more) infractions is the same, which brings us to the contest of laws and the
crime contest. Well, in our case, the legal right protected in a crime
of conditional threats, in criminal proceedings, we could define it as the right to
freedom of formation of the will of the threatened person, while the good
legal protection in administrative proceedings would be the protection of the person in relation to

with the processing of your personal data, in this case, the images of the girl.
Fundamental right protected by article 18.4 of the Spanish Constitution.

Therefore, after analyzing the elements that concur in the principle "non bis in
idem" we can determine that, in the present case, its application is not possible, since

identity in the facts or in the grounds, as required by article 31.1
LRJSP.

       About the non-existence of the publication of images or videos

On this point we must start by remembering that recital (26) GDPR

indicates that: "The principles of data protection must be applied to the entire
information relating to an identified or identifiable natural person (…)”.

Leaving the above established, article 4 GDPR, defines, among others, the following
concepts:


       1) As "personal data": "all information about a natural person
       identified or identifiable ("the data subject"); will be considered a natural person
       identifiable any person whose identity can be determined, directly or
       indirectly, in particular by means of an identifier, such as a

       name, an identification number, location data, an identifier in
       line or one or several elements proper to the physical, physiological,
       genetic, psychological, economic, cultural or social of said person;


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/18








       2) As "data processing": any operation or set of operations
       performed on personal data or sets of personal data, either by
       automated procedures or not, such as the collection, registration, organization,

       structuring, conservation, adaptation or modification, extraction, consultation,
       use, communication by transmission, diffusion or any other form of
       authorization of access, comparison or interconnection, limitation, deletion or
       destruction; (…)

       7) As "data controller": any natural or legal person,

       authority, service or other body which, alone or jointly with others, determines the
       purposes and means of processing (…)

       While in article 1 of the GDPR, it is established that:


       1. This Regulation establishes the rules relating to the protection of
       natural persons with regard to the processing of personal data and the
       rules relating to the free movement of such data.

       And article 2 GDPR:


       1. This Regulation applies to the processing in whole or in part
       automated processing of personal data, as well as the non-automated processing of
       personal data contained or intended to be included in a file.

Therefore, at no time is it established that, in order for the GDPR to be applied

it is necessary that the person responsible for the processing of personal data has
assigned to a third party.

For the GDPR to be fully applicable, it is therefore necessary that the
processing of personal data carried out by the person responsible for them, be it

Apart from communication by transmission, broadcast or any other form of
authorization of access, collation or interconnection, any other operation or set of
operations carried out on them, be it the collection, registration,
organization, their structuring, their conservation, their adaptation or
modification, its extraction, its consultation, its use, or its limitation, deletion or
destruction.


Therefore, in the case at hand, the mere collection, registration and conservation of
the images of the girl, a minor, made by the defendant (responsible for the
treatment) are sufficient cause for the application of the GDPR.


       On the consent of the minor and the illegitimate use by the
       social media minor,

Reference is made at this point to Royal Decree 1720/2001, of December 27, by
which approves the Regulations for the development of Organic Law 15/1999, of 13 December

December, protection of personal data.

Well then, as can be seen from the claim, the communications and the sending of
images of the girl, begin between both minors on 10/15/19 at 11:20 p.m.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/18








Instagram and WhatsApp. However, the last ones that are conserved made by
this last means are from 01/02/20.


According to article 99 of the GDPR, the entry into force and application of the new GDPR was,
“twenty days after its publication in the Official Journal of the European Union, the
05/25/16”, being mandatory as of May 25, 2018”. By
Therefore, as of this date (05/25/18), Organic Law 15/1999 was repealed,
(LOPD), applying mandatorily, from that date, the current RGPD.


Regarding Organic Law 3/2018, of December 5, on Data Protection
Personal Rights and Guarantee of Digital Rights (LOPDGDD), published on 12/06/18
It is indicated, upon its entry into force, in its sixteenth final provision that: "The
This organic law will enter into force the day after its publication in the
Official State Gazette" so from 12/07/18 it is mandatory.


For its part, the sole repeal provision of the LOPDGDD establishes:

       1. Without prejudice to the provisions of the fourteenth additional provision and the
       fourth transitory provision, the Organic Law 15/1999, of 13
       December, Protection of Personal Data.


       2. Royal Decree-Law 5/2018, of July 27, on measures
       urgent for the adaptation of Spanish Law to the regulations of the Union
       European Union on data protection.


       3. Likewise, any provisions of equal or lower rank are repealed
       contradict, oppose, or are incompatible with the provisions of the
       Regulation (EU) 2016/679 and in this organic law.

Therefore, in accordance with section 3 of the Sole Repealing Provision, the Royal Decree

1720/2007 was repealed as of 12/07/18 in those provisions that
"contradict, oppose, or are incompatible with the provisions of the Regulation
(UE) 2016/679 and in the LOPDGDD."

In the present case, for the processing of personal data to be carried out
legally, these must be processed with the consent of the interested party or on

some other legitimate basis established in accordance with Law, (Considering 40 GDPR),
Article 6.1 of the GDPR is therefore applicable and not RD 1720/2007
used by the defendant.

Thus, the aforementioned article 6.1 GDPR establishes that the processing of data

Personal information will only be lawful if it meets at least one of the following conditions:

       a) the interested party gave his consent for the processing of his data
       personal for one or more specific purposes;


       b) the processing is necessary for the performance of a contract in which the
       interested party or for the application at the request of this of measures
       pre-contractual;


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/18








       c) the processing is necessary for compliance with a legal obligation
       applicable to the data controller;


       d) the processing is necessary to protect vital interests of the data subject or
       of another natural person.

       e) the treatment is necessary for the fulfillment of a mission carried out in
       public interest or in the exercise of public powers conferred on the person responsible
       of the treatment;


       f) the processing is necessary for the satisfaction of legitimate interests
       pursued by the data controller or by a third party, provided that
       such interests are not overridden by the interests or the rights and freedoms
       of the interested party that require the protection of personal data,

       in particular when the interested party is a child. The provisions of letter f) of the
       first paragraph shall not apply to the treatment carried out by the
       authorities in the exercise of their functions.

But, what's more, since the interested party is a minor, as is the case in our case,
We must bear in mind the provisions of art. 7 LOPDGDD:


       "1. The processing of personal data of a minor only
       may be based on your consent when you are over fourteen years of age. I know
       Except for those cases in which the law requires the attendance of the holders of the
       parental authority or guardianship for the celebration of the legal act or business in which

       context the consent for the treatment is obtained.

       2. The treatment of the data of minors under fourteen years of age, based on the
       consent, it will only be lawful if that of the holder of parental authority or
       guardianship, with the scope determined by the holders of parental authority or

       guardianship." The minors whose data has been processed by the defendant are
       perfectly identifiable and that their identity can be determined, directly or
       indirectly.

Therefore, Articles 2, 13 and 14 of the Articles cannot be considered in the present case.
Royal Decree 1720/2001, of December 27, which approves the Regulation of

development of Organic Law 15/1999, of December 13, alleged by the party
claimed by being repealed by this LOPDGDD, and being applicable in this
case, articles 6 and 7 of the GDPR.

On the illegitimate use by the minor of social networks and

breach of parental obligations, it should be noted that, in the present
procedure is not assessing the degree of compliance of social networks
(WhatsApp or Instagram), in the parental control of the same. In this procedure
the degree of legality that has occurred in the treatment of the data has been assessed
of the girl, a minor, by the defendant.


       Regarding the scope of the psychological or moral damage suffered by the minor



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/18








On this point, just indicate that this Agency is not competent to assess
the degree of psychological or moral damage suffered by the people they have treated
your personal data without your consent.


       On the practice of proposed tests:
It is considered that the information and documentation provided to the procedure is sufficient

cient to be able to elucidate whether or not there is an infringement of the current regulations on
of data protection and this has been demonstrated throughout this proposal for
resolution, based on Judgment No. XX/02020 of the Juvenile Court (...).- Ex-
Reform request number XXX/2020 (Prosecutor's Office number XXX/2020), in the "Facts
Proven", in its "Fundamentals of Law" and in the "Failure" issued. This is so because-

that this administrative sanctioning procedure is initiated after having carried out
The AEPD has carried out intense previous work, which substitutes sufficient evidence for this instruction.
tion.

In this case, the information provided by the parties is assumed to be true. Nope
However, the foregoing, the already mentioned so many times, Article 24.2 of the EC, applicable
Also in this case, it recognizes the right of the claimed entity “to use all
the pertinent means of proof for his defense", leaving at his discretion to be able to present
take as many means of proof as it deems pertinent throughout the procedure.

Therefore, the testimonial evidence requested by the claimed party is considered to be
are not necessary in this case, in application of the principle of "procedural economy" to the

the attributable facts must already be sufficiently accredited, and, therefore, it must be re-
reject the request for the practice of evidence as unnecessary at this time, by
under the provisions of article 77.3 of the LPACAP.

                                           III.-
    Violation for the illegal treatment of the personal data of the minor.


In this case, according to the information and documentation presented in the
claim, the defendant, browsing the Instagram application, met the minor
of age (Claimant's daughter) aged 13 engaging in such a close relationship with her
confidence that the minor sent her videos and photos of an intimate nature, both by

the Instagram application as by WhatsApp.

After some time, the defendant demanded that the girl continue sending him photos and
videos, but since she refused, the defendant intimidated her by telling her that he would upload the
photos and videos that he already had on social networks, in the face of whose threats, the minor

Shipping (…).

As we have explained in the previous section, for data processing
personal information can be carried out lawfully, they must be treated with the
consent of the interested party or on some other legitimate basis established in accordance
a Law, (Recital 40 GDPR)


For its part, article 6.1 of the GDPR establishes that processing will only be lawful if
meets at least one of the following conditions:

       a) the interested party gave his consent for the processing of his data

       personal for one or more specific purposes;
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/18









       b) the processing is necessary for the performance of a contract in which the
       interested party or for the application at the request of this of measures

       pre-contractual;

       c) the processing is necessary for compliance with a legal obligation
       applicable to the data controller;

       d) the processing is necessary to protect vital interests of the data subject or

       of another physical person.

       e) the treatment is necessary for the fulfillment of a mission carried out in
       public interest or in the exercise of public powers conferred on the person responsible
       of the treatment;


       f) the processing is necessary for the satisfaction of legitimate interests
       pursued by the data controller or by a third party, provided that
       such interests are not overridden by the interests or the rights and freedoms
       of the interested party that require the protection of personal data,
       in particular when the interested party is a child. The provisions of letter f) of the

       first paragraph shall not apply to the treatment carried out by the
       authorities in the exercise of their functions.

But, what's more, since the interested party is a minor, as is the case in our case,
We must bear in mind the provisions of art. 7 LOPDGDD:


       "1. The processing of personal data of a minor only
       may be based on your consent when you are over fourteen years of age. I know
       Except for those cases in which the law requires the attendance of the holders of the
       parental authority or guardianship for the celebration of the legal act or business in which

       context the consent for the treatment is obtained.

       2. The treatment of the data of minors under fourteen years of age, based on the
       consent, it will only be lawful if that of the holder of parental authority or
       guardianship, with the scope determined by the holders of parental authority or
       guardianship." The minors whose data has been processed by the defendant are

       perfectly identifiable and that their identity can be determined, directly or
       indirectly.

Therefore, according to the available evidence, it is considered that
the facts exposed do not comply with the provisions of articles 6.1 of the GDPR, by

unlawful processing of the personal data of the minor girl.

It is considered appropriate to apply the following aggravating criteria established by the
Article 83.2 of the GDPR:


       a).- The scope or purpose of the data processing operation and the level of
       the damages and losses caused, since it has been confirmed through
       final court ruling that the defendant required the girl to follow him
       sending photos and videos, but since she refused, the defendant intimidated her

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/18








       telling him that he would upload the photos and videos that he already had to social networks and that
       the minor, fearful of her threats, sent (...) to the
       reclaimed. (section a).


       b).- The intent of the offense, by the defendant, by intimidating
       to the girl telling her that she would upload the photos and videos that she already had to the networks
       achieving with it (...) of the girl. (section b).

It is also considered that the following aggravating criteria should be applied, which

Article 76.2 of the LOPDGDD establishes:

       a).- The affectation of the rights of minors, since the victim is a girl
       minor at the time of the facts (section f).


Notwithstanding the foregoing, in the present case, it is worth considering what is stipulated in the
Article 83.1 of the GDPR which establishes that: "Each control authority
ensure that the imposition of administrative fines under this
article for the infringements of this Regulation indicated in sections 4, 5 and
6 are in each individual case effective, proportionate and dissuasive”.


Therefore, taking into account the principle of proportionality and the individualization of the
sanction chosen in such a way that it represents an adequate response to illegality
of the fact and the guilt of the author, in the present case, it is considered reasonable
attend to what was stated by the defendant when he alleges that, in court, the
processing of personal data of the minor girl had ceased to exist

for having deleted the videos from his mobile.

Pursuant to the foregoing, the Director of the Spanish Agency for
Data Protection,
                                     RESOLVES:


FIRST: IMPOSE D.A.A.A., a penalty of 5,000 euros (five thousand euros) for
the violation of article 6.1 of the GDPR, regarding the illegal processing of the
images of the girl, minor.

SECOND: ORDER D. A.A.A., the elimination of any personal data from the

girl that is in their power, as well as inform this Agency about the measures
adopted for it.

THIRD: NOTIFY this resolution to D. A.A.A.


FOURTH: Warn the penalized party that the sanction imposed must be made effective by
Once this resolution is enforceable, in accordance with the provisions of Article
Article 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, within the voluntary payment period indicated in the
Article 68 of the General Collection Regulations, approved by Royal Decree

939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17
December, by depositing it in the restricted account No. ES00 0000 0000 0000
0000 0000, opened in the name of the Spanish Data Protection Agency in the


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/18








Banco CAIXABANK, S.A. or otherwise, it will proceed to its collection in
executive period.


Once the notification has been received and once executed, if the execution date is
between the 1st and 15th of each month, both inclusive, the term to make the payment
voluntary will be until the 20th day of the following or immediately following business month, and if
between the 16th and the last day of each month, both inclusive, the payment term
It will be until the 5th of the second following or immediately following business month.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once the interested parties have been notified.

Against this resolution, which puts an end to the administrative process (article 48.6 of the
LOPDGDD), and in accordance with the provisions of articles 112 and 123 of the Law

39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations, interested parties may optionally file
appeal for reversal before the Director of the Spanish Agency for Data Protection
within a month from the day following notification of this
resolution or directly contentious-administrative appeal before the Chamber of
contentious-administrative of the National Court, in accordance with the provisions of the

article 25 and in section 5 of the fourth additional provision of Law 29/1998, of
July 13, regulating the Contentious-administrative Jurisdiction, within the period of
two months from the day following the notification of this act, according to what
provided for in article 46.1 of the aforementioned legal text.


Finally, it is noted that in accordance with the provisions of art. 90.3 a) of Law 39/2015,
of October 1, of the Common Administrative Procedure of the Administrations
Public, the firm resolution may be temporarily suspended in administrative proceedings if
The interested party declares his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through

writing addressed to the Spanish Data Protection Agency, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registries provided for in art. 16.4 of the
aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the
documentation proving the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal

contentious-administrative proceedings within a period of two months from the day following the
Notification of this resolution would terminate the precautionary suspension.

Mar Spain Marti
Director of the Spanish Data Protection Agency.












C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es