AEPD - PS/00190/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(f) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 12.03.2021 |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | PS/00190/2020 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD decision (in ES) |
Initial Contributor: | n/a |
The Spanish DPA (AEPD) warned a Home Owners' Association for an infringement of Article 5(1)(f) GDPR, due to the disclosing of personal data in a debtors list.
English Summary
Facts
A Home Owners' Association released a debtors list, that was shown publicly in the building's hall, where address details, name and surname of the claimant could be found.
Dispute
Is a Home Owners' Association allowed to publish such data?
Holding
The AEPD determined that this behaviour infringed Article 5(1)(f) GDPR, because it discloses personal data without the consent of the data subject. The Spanish law regulating private ownership of housing allows in its Article 19(3) Home Owners' Associations to publish of (personal) data in certain cases: for notification purposes, when other means have not resulted, for calling for meetings and for the publication of meetings memorandum. However, they are not allowed to publish personal data for mere informative purposes that are not supported by a legal ground.
The AEPD warned the Home Owners' Association and gave them a month to rectify the level of security of the data.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/5 Procedure No.: PS / 00190/2020 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: A.A.A. (hereinafter, the claimant) dated December 30, 2019 filed a claim with the Spanish Data Protection Agency. The claim is directed against COMMUNITY OF OWNERS B.B.B. with NIF *** NIF. 1 (hereinafter, the claimed one). The reasons on which the claim is based are that your personal data (floor, letter, name and surname) appear in a list of debtors published on the notice board. announcements, located on the portal of the building in which you reside. SECOND: In view of the events denounced, on 02/21/2020, the the claim to the claimed so that “it analyzes said claim and communicates to the the claimant the decision he adopts in this regard. Likewise, within a month from receipt of this letter, you must send this Agency the following information: 1. Copy of the communications, of the adopted decision that has been sent to the claimant regarding the transfer of this claim, and accreditation that the claimant has received the communication of that decision. 2. Report on the causes that have motivated the incidence that has originated the claim. 3. Report on the measures adopted to prevent incidents from occurring Similar. In response to the aforementioned request, on March 12, 2020, the president of the community of owners object of this claim, responds stating that the The decision to expose the claimant's personal data has been by agreement of all the neighbors to pressure him to pay a debt that he owes for more than a year, due to disagreements that it has with the community of owners for a breakdown you had at home. THIRD: On September 1, 2020, the Director of the Spanish Agency of Data Protection agreed to initiate a sanctioning procedure to the claimed, by the alleged violation of article 5.1.f) of the RGPD, typified in article 83.5 of the GDPR. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/5 FOURTH: On October 7, 2020, the agreement to initiate this procedure, becoming the same proposal for resolution of conformity with articles 64.2.f) and 85 of Law 39/2015, of October 1, on the Procedure Common Administrative of Public Administrations (LPACAP), by not carrying out allegations within the indicated period. In view of all the actions, by the Spanish Agency for Data Protection In the present proceeding, the following are considered proven facts, ACTS FIRST: The personal data of the claimant (floor and letter of your address, and name and surname) appear in a list of debtors published on the notice board. announcements, located on the portal of the building in which you reside. SECOND: The defendant has not presented any allegation. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in arts. 47 and 48.1 of the LOPDGDD, the Director of The Spanish Data Protection Agency is competent to resolve this process. II In this case, the respondent reveals personal data of an owner. (floor, letter, name and surname) by placing on the notice board, located on the portal of the building in which it resides. It should be taken into account that for the exhibition on the bulletin board of the Community, personal data must adhere to a series of principles in order not to violate data protection regulations. As a means of personal and individualized notification to the owner, the Law of Horizontal Property, indicates the assumptions in which the data exposure is authorized of a personal nature related to matters arising from the management of the Community of owners. Its article 9. h) indicates as an obligation of the owner “Communicate to whoever exercises the functions of secretary of the community, by any means that allows to have proof of receipt, the address in Spain for the purposes of subpoenas and notifications of all kinds related to the community. In the absence of this communication, the address will be for citations and notifications of the apartment or premises belonging to the community, having full effect those delivered to the occupant of the same. If a subpoena or notification was attempted it was impossible for the owner to practice it in the place provided for in the previous paragraph, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/5 It will be understood as carried out by placing the corresponding communication in the community bulletin board, or in a visible place of general use enabled at the effect, with expressive diligence of the date and reasons why this notification form, signed by whoever exercises the functions of Secretary of the community, with the approval of the President. The notification practiced in this way it will produce full legal effects within three calendar days ”. Article 19.3 of the LPH, second paragraph, indicates: “The minutes of the meetings are will forward to the owners in accordance with the procedure established in article 9. " In the present case, there is no evidence that the exposed note comes from a call, meeting or minutes, but rather the desire to want to inform the owners, although the community board should not serve as a board for notify or inform when personal data is exposed, if the requirements in each case indicated for said exposure and its functions shall be those of notification or summons. In the present case, an informative note is being presented to the owners, making exposure in a space or place of transit of a note, which makes identifiable to a person and attributes the status of debtor, which may affect their honor. This note with the data as a means of information, in this case it does not fit to the LPH and violates the right of the claimant to their data protection, by not to proceed with the exposition in any of the cases provided for in the aforementioned LPH. Therefore, the COMMUNITY OF OWNERS B.B.B. with NIF *** NIF.1, the commission of an infringement of article 5.1. f) of the RGPD “1. Personal information will be: f) “treated in such a way as to guarantee adequate security for the personal data, including protection against unauthorized or illegal processing and against their loss, destruction or accidental damage, by applying measures appropriate technical or organizational ("integrity and confidentiality"). " Article 83.5 a) of the RGPD, considers that the infringement of "the basic principles for the treatment, including the conditions for consent under the Articles 5, 6, 7 and 9 ”is punishable, in accordance with section 5 of the aforementioned Article 83 of the aforementioned Regulation, with administrative fines of € 20,000,000 as maximum or, in the case of a company, of an amount equivalent to 4% as maximum total annual global business volume of the previous financial year, opting for the highest amount. The LOPGDD in its article 5.1 indicates: "Duty of confidentiality": "Those responsible and in charge of data processing as well as all persons who intervene in any phase of this will be subject to the duty of confidentiality referred to in article 5.1.f) of Regulation (EU) 2016/679. " Its article 72.1.a) considers it: “Violations considered very serious "1. In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe after three years the infractions that suppose C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/5 a substantial violation of the articles mentioned therein and, in particular, the following: a) The processing of personal data in violation of the principles and guarantees of the established in Article 5 of Regulation (EU) 2016/679 ”. Article 58.2 of the RGPD provides: “Each supervisory authority will have all the following corrective powers listed below: b) punish any person responsible or in charge of the treatment with warning when the processing operations have infringed the provisions of this Regulation; d) order the person in charge of the treatment that the operations of treatment comply with the provisions of this Regulation, where appropriate, in a certain way and within a specified period " In this sense, the actions taken by the claimed to the know the claim that was reported by this AEPD and the measures adopted, having to report them within the procedure, being able to in the resolution to adopt the appropriate ones for its adjustment to the regulations. Therefore, in accordance with the applicable legislation and assessed the criteria of graduation of sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: 1. FIRST: IMPOSE COMMUNITY OF OWNERS B.B.B. with NIF *** NIF. 1, for an infringement of article 5.1 f) of the RGPD, punishable in accordance with the provisions put in art. 83.5 of the aforementioned RGPD, and classified as very serious in article 72.1 a) of the LOPDGDD, a warning sanction. SECOND: REQUIRE the claimed party so that within one month it accredits before this body the adoption of the necessary measures to guarantee a adequate security of the personal data processed, in accordance with what is required in article 5.1 f) of the RGPD that regulates the principles of integrity and confidentiality of the data. THIRD: NOTIFY this resolution to the COMMUNITY OF OWNERS B.B.B. In accordance with the provisions of article 50 of the LOPDGDD, the This Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties may file, optionally, an appeal for reversal before the Director of the Spanish Agency for Data Protection within a period of month from the day following notification of this resolution or directly C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/5 contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within two months from the day following notification of this act, as provided in article 46.1 of the referred Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, the firm resolution may be suspended in an administrative way If the interested party expresses his intention to file a contentious appeal- administrative. If this is the case, the interested party must formally communicate this made by writing to the Spanish Data Protection Agency, Presenting it through the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the rest records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. As well must forward to the Agency the documentation that proves the effective filing of the contentious-administrative appeal. If the Agency is not aware of the filing of the contentious-administrative appeal within a period of two months from the day after the notification of this resolution, I would terminate the precautionary suspension. Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es