AEPD - PS/00034/2020

From GDPRhub
AEPD - PS/00034/2020
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
9 (h) Ley 49/1960, de Propiedad Horizontal
Type: Investigation
Outcome: Violation Found
Decided: 31.08.2020
Published: 31.08.2020
Fine: 10000 EUR
Parties: n/a
National Case Number/Name: PS/00034/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Francesc Julve Falcó

The Spanish DPA fined a neighbourhood community EUR 10.000 for infringing Article 5(1)(f) of the GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The complainant had an outstanding debt with his neighbourhood community. After several attempts to notify the debt, the administrator of the community published the complainant's name, address, and amount owed on the community's notice board. The publication was allegedly justified by Article 9 (h) of the Ley 49/1960 de Propriedad Horizontal.

Dispute[edit | edit source]

Is the public displaying of a document containing personal data on the notice board of the neighbour’s community a violation of Article 5 (1) (f) GDPR?

Holding[edit | edit source]

Article 9 of Ley de Propriedad Horizontal provides that: "If a summons or notification to the owner cannot be made in the place foreseen in the previous paragraph, it will be understood that it has been made by placing the corresponding communication on the community notice board, or in a visible place of general use enabled for this purpose, with express diligence of the date and reasons for which this form of notification is made".

The Spanish DPA held that the public sharing of the personal data on the notice board infringes the principles of integrity and confidentiality set forth in Article 5(1)(f) GDPR. In quantifying the fine, the Authority took into consideration different factors including the non-intentional nature of the infringement and the categories of data concerned. The controller was finally fined for Euro 10.000,00.

Comment[edit | edit source]

The complainant was a victim of gender-based violence recognized by a court ruling and therefore requested that her data be processed more carefully.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

Style ID: PS/00034/2020
From the procedure instructed by the Spanish Data Protection Agency and
on the basis of the following
FIRST: A.A.A. (hereinafter the complainant) dated 5 October 2019 filed
claim before the Spanish Data Protection Agency. The claim is addressed to
against COMMUNITY OF OWNERS R.R.R. with tax identification number ***NIF.1 (hereinafter
The reasons for the complaint are that they have published on the notice board
of the community of owners claimed the personal identification data of the
(name, surname, flat and door) associated with a debt owed to the
community, indicating the financial amount due.
The complainant considers the president of the community responsible, as she has
the key to the board and for not withdrawing the publication of your data after having been advised of the
possible infringement of the data protection regulations involved, but this
has declined all responsibility by saying that the lock on the board is open and that
does not know who has placed the document there.
Along with the complaint, the complainant also has a photograph of the
the community, where the document is displayed showing the personal data of
as the only debtor of the whole building, provides a judgment of the Court of Lo
Criminal no. 12 of Malaga dated 20/11/2017 condemning his partner for a crime of
abuse, to prove that they are victims of gender-based violence and that their data
personal should be treated with special protection.
SECOND: Upon receipt of the complaint, the Subdirectorate General for the Inspection of
Data proceeded to carry out the following actions:
On 17 and 27 November 2019, the claim was transferred to the claimed entity
submitted by the complainant, for its analysis as well as to inform this
Agency on whether it had communicated with the complainant, and the decision
adopted in this respect to remedy the situation that has arisen.
The defendant has not responded to any of the requests made by the
Spanish Data Protection Agency.
THIRD: On 10 March 2020, the Director of the Spanish Data Protection Agency
Data Protection agreed to initiate sanctioning procedures against the respondent, by the
alleged violation of Article 5.1.f) of the RGPD, as defined in Article 83.5 of the
FOURTH: Once the above-mentioned agreement to initiate the proceedings had been notified, the respondent submitted a letter of
submissions on 25 May 2020, in which, in summary, it stated that "the
The previous administrator posted a list on the notice board of the
complainant by refusing to take notice of it
that his debt was to be recorded in the land register so that it would remain
recognized the same.
This neighbour has 2 complaints filed and has never collected any notifications.
Attached are the minutes of November 2015, which show all the steps that have been taken
attempted by the former managers regarding the communication of the debt to
the neighbour's happiness.
Also attached are the minutes of the previous Administrator, Mr. Antonio Flores Palomo where
this fact is recorded (recording the debt in the register) and my appointment is recorded in the minutes on
4th October 2019. The community documentation is delivered to me at the end
Attached is a signed document with the collection of the community's documentation".
This document indicates the name and surname of the claimant, as well as that she has a
3,542.27 debt.
FIFTH: On 22 June 2020 the instructor of the procedure agreed to the
opening of a trial period, with the incorporation of the
preliminary investigation proceedings, E/10284/2019, as well as documents
provided by the respondent.
 SIXTH: A motion for resolution was tabled on 1 July 2020,
proposing that the R.R.R. OWNERS' COMMUNITY be sanctioned with a NIF
***NIF.1, for an infringement of Article 5(1)(f) of the GPRD, as defined in Article 83(5)
of the GPRD, a fine of EUR 10 000
The proceedings in these proceedings and the
The following documents have been accredited
FIRST: They have been published on the notice board of the community of owners
claimed the personal identification data of the claimant (name, surname,
floor and door) associated with a debt owed to the community, indicating
of the financial amount due.
SECOND: the community of neighbours complained about, states that the previous
administrator posted a list on the bulletin board with the person's debt
The applicant refused to take receipt of a notification that he was leaving
to register their debt in the land register so that the
The Director of the Agency is competent to resolve this procedure
Data Protection, in accordance with the provisions of Article 58.2 of the
RGPD and in articles 47 and 48.1 of the LOPDGDD.
Article 6.1 of the RGPD, establishes the cases that allow to consider
the processing of personal data is lawful.
For its part, Article 5 of the RGPD establishes that personal data will be
"(a) processed in a lawful, fair and transparent manner in relation to the data subject
("legality, fairness and transparency");
(b) collected for specified, explicit and legitimate purposes and not treated
subsequently in a manner incompatible with those purposes; in accordance with Article 89,
paragraph 1, the further processing of personal data for archiving purposes in
public interest, scientific and historical research or statistical purposes are not
will be considered incompatible with the initial purposes ("purpose limitation");
(c) adequate, relevant and limited to what is necessary in relation to the purposes
for those who are processed ("data minimisation");
(d) accurate and, where necessary, updated; all measures shall be taken
to delete or rectify without delay personal data that
are inaccurate with respect to the purposes for which they are intended ("accuracy");
(e) maintained in such a way as to permit identification of the persons concerned
for no longer than is necessary for the purposes of the processing
personal; personal data may be kept for longer periods
provided that they are processed exclusively for archiving purposes in the public interest, for
scientific or historical research or statistical purposes, in accordance with Article
89(1), without prejudice to the implementation of technical and organisational measures
This Regulation is designed to protect the rights and freedoms of the
freedoms of the data subject ("limitation of the retention period");
(f) processed in such a way as to ensure appropriate security for the
personal data, including protection against unauthorised or unlawful processing and
against their accidental loss, destruction or damage, by implementing measures
appropriate techniques or organisational arrangements ("integrity and confidentiality").
The controller is responsible for compliance with the
provided for in paragraph 1 and capable of demonstrating it ("proactive responsibility").
Although it is true that if the respondent is not aware of the restraining order of the
cannot take any special precautions with your data, however, it will be you should bear in mind that for the display of personal data on a board
of Community notices, it has to comply with a number of principles in order to
not violate data protection regulations.
As a means of personal and individualized notification to the owner, the Law of
Horizontal Property, indicates the cases in which the exposure of data is authorised
personal matters related to the management of the
Community of Owners. Its article 9. h) indicates as the owner's obligation
"Communicate to whoever exercises the functions of secretary of the community, by any
means which allows to have a record of its reception, the domicile in Spain for the purposes
of citations and notifications of all kinds related to the community. At
Defect of this communication will be considered as an address for service
the flat or premises belonging to the community, giving full legal effect to
delivered to the occupant of the same. If a summons or notification to the
If the owner is unable to practice it in the place mentioned in the previous paragraph, it will be
shall be deemed to have been carried out by placing the corresponding communication in the
community bulletin board, or in a visible place for general use set up by the
with express due diligence as to the date and grounds on which it is
form of notification, signed by the person acting as Secretary of the
community, with the approval of the President. The notification practiced in this way
shall produce full legal effects within three calendar days".
Article 19.3 of the LPH, second paragraph, states: "The minutes of the meetings shall
shall refer the owners in accordance with the procedure laid down in Article
According to the evidence available, it is considered
The public display of a document on the notice board of the
community, showing the personal data of the claimant, and therefore it is understood
that the entity complained of has violated Article 5.1(f) of the RGPD, which governs
principles of integrity and confidentiality of personal data, as well as
proactive responsibility of the data controller to demonstrate his
Article 72.1.a) of the LOPDGDD states that "in accordance with the provisions
Article 83(5) of Regulation (EU) 2016/679 are considered very serious and
will be subject to a three-year limitation period for infringements involving a substantial breach
of the articles mentioned in that one and, in particular, the following ones:
a) The processing of personal data in violation of the principles and guarantees
set out in Article 5 of Regulation (EU) 2016/679
Article 58(2) of the GPRS provides: "Each supervisory authority
shall have all of the following corrective powers listed below:
b) sanction any person responsible for or in charge of the processing with
warning where processing operations have infringed the provisions of
this Regulation;
(d) instruct the controller or processor to ensure that the processing operations
treatment are in accordance with the provisions of this Regulation, where appropriate,
in a certain way and within a specified time frame;
(i) impose an administrative fine in accordance with Article 83, in addition to or in addition to
place of the measures referred to in this paragraph, depending on the circumstances
of each individual case;
This infringement is punishable by a fine of up to
or, in the case of an enterprise, an amount equivalent to a maximum of 4% of the
total annual turnover for the previous financial year, opting for the
in accordance with article 83.5 of the RGPD.
Likewise, it is considered that the sanction to be imposed should be graduated in accordance with
with the following criteria established in article 83.2 of the RGPD:
The following are aggravating factors:
In the present case we are dealing with unintentional but significant negligent action (Article 83.2 b)
Basic personal identifiers are affected, according to the
Therefore, in accordance with the applicable legislation and assessed on the basis of
graduation of penalties whose existence has been established,
the Director of the Spanish Data Protection Agency RESOLVES:
for an infringement of Article 5.1.f) of the RGPD, typified in Article 83.5 of the RGPD,
in relation to Article 72(1)(a) a fine of EUR 10 000 (TEN THOUSAND EUR).
THIRD: To warn the sanctioned party that he must make effective the sanction imposed
once this decision becomes enforceable, in accordance with the provisions of
Article 98.1.b) of Law 39/2015, of 1 October, on Administrative Procedure
Commonwealth of Independent States (hereinafter LPACAP), within the payment period
established in art. 68 of the General Regulations on Collection, approved
by Royal Decree 939/2005, of 29 July, in relation to Article 62 of Law 58/2003,
of 17 December, by means of its payment, indicating the tax identification number of the procedure set out in the heading of this document, in the account restricted No ES00 0000 0000 0000 0000, open on behalf of the Agency
Spanish Data Protection in the bank CAIXABANK, S.A.. In case
Otherwise, it will be collected during the enforcement period.
Once notification has been received and once it has become enforceable, if the enforceability date
The deadline for the completion of the registration process is between the 1st and 15th of each month, inclusive.
voluntary payment will be until the 20th day of the following month or the next business day, and if
is between the 16th and the last day of each month, inclusive, the deadline of
Payment will be made until the 5th of the second following month or immediately thereafter.
In accordance with the provisions of Article 50 of the LOPDGDD, the
This Resolution will be made public after it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure according to art.
48.6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the
LPACAP, the interested parties may lodge, on an optional basis, an appeal for reversal
to the Director of the Spanish Data Protection Agency within a period of
month from the day following notification of this resolution or directly
contentious-administrative appeal to the Administrative Chamber of the
Audiencia Nacional, in accordance with Article 25 and paragraph 5 of
the fourth additional provision of Law 29/1998 of 13 July 1998, regulating
Contentious-Administrative Jurisdiction, within two months from
day following notification of this act, as provided for in Article 46(1) of the
referred to Law.
Finally, it is pointed out that in accordance with the provisions of Article 90.3 a) of the
LPACAP, the final decision may be suspended in administrative proceedings as a precautionary measure
if the person concerned indicates his intention to lodge an administrative appeal. If this is the case, the interested party must formally communicate this made by writing to the Spanish Data Protection Agency,by submitting it through the Agency's Electronic Register
[], or through one of the other
registrations provided for in Article 16.4 of the aforementioned Law 39/2015, of 1 October. Also
must send to the Agency the documentation proving the effective intervention
of the contentious-administrative appeal. If the Agency was not aware of the
the lodging of the contentious-administrative appeal within two months of
day following notification of this resolution, would terminate the
precautionary suspension.
Mar España Marti
Director of the Spanish Data Protection Agency