AEPD - PS/00034/2020
|AEPD - PS/00034/2020|
|Relevant Law:||Article 5(1)(f) GDPR|
9 (h) Ley 49/1960, de Propiedad Horizontal
|National Case Number/Name:||PS/00034/2020|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
|Initial Contributor:||Francesc Julve Falcó|
The Spanish DPA fined a neighbourhood community EUR 10.000 for infringing Article 5(1)(f) of the GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
The complainant had an outstanding debt with his neighbourhood community. After several attempts to notify the debt, the administrator of the community published the complainant's name, address, and amount owed on the community's notice board. The publication was allegedly justified by Article 9 (h) of the Ley 49/1960 de Propriedad Horizontal.
Dispute[edit | edit source]
Is the public displaying of a document containing personal data on the notice board of the neighbour’s community a violation of Article 5 (1) (f) GDPR?
Holding[edit | edit source]
Article 9 of Ley de Propriedad Horizontal provides that: "If a summons or notification to the owner cannot be made in the place foreseen in the previous paragraph, it will be understood that it has been made by placing the corresponding communication on the community notice board, or in a visible place of general use enabled for this purpose, with express diligence of the date and reasons for which this form of notification is made".
The Spanish DPA held that the public sharing of the personal data on the notice board infringes the principles of integrity and confidentiality set forth in Article 5(1)(f) GDPR. In quantifying the fine, the Authority took into consideration different factors including the non-intentional nature of the infringement and the categories of data concerned. The controller was finally fined for Euro 10.000,00.
Comment[edit | edit source]
The complainant was a victim of gender-based violence recognized by a court ruling and therefore requested that her data be processed more carefully.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
Style ID: PS/00034/2020 RESOLUTION OF SANCTIONING PROCEDURE From the procedure instructed by the Spanish Data Protection Agency and on the basis of the following BACKGROUND FIRST: A.A.A. (hereinafter the complainant) dated 5 October 2019 filed claim before the Spanish Data Protection Agency. The claim is addressed to against COMMUNITY OF OWNERS R.R.R. with tax identification number ***NIF.1 (hereinafter claimed). The reasons for the complaint are that they have published on the notice board of the community of owners claimed the personal identification data of the (name, surname, flat and door) associated with a debt owed to the community, indicating the financial amount due. The complainant considers the president of the community responsible, as she has the key to the board and for not withdrawing the publication of your data after having been advised of the possible infringement of the data protection regulations involved, but this has declined all responsibility by saying that the lock on the board is open and that does not know who has placed the document there. Along with the complaint, the complainant also has a photograph of the the community, where the document is displayed showing the personal data of as the only debtor of the whole building, provides a judgment of the Court of Lo Criminal no. 12 of Malaga dated 20/11/2017 condemning his partner for a crime of abuse, to prove that they are victims of gender-based violence and that their data personal should be treated with special protection. SECOND: Upon receipt of the complaint, the Subdirectorate General for the Inspection of Data proceeded to carry out the following actions: On 17 and 27 November 2019, the claim was transferred to the claimed entity submitted by the complainant, for its analysis as well as to inform this Agency on whether it had communicated with the complainant, and the decision adopted in this respect to remedy the situation that has arisen. The defendant has not responded to any of the requests made by the Spanish Data Protection Agency. THIRD: On 10 March 2020, the Director of the Spanish Data Protection Agency Data Protection agreed to initiate sanctioning procedures against the respondent, by the alleged violation of Article 5.1.f) of the RGPD, as defined in Article 83.5 of the RGPD. FOURTH: Once the above-mentioned agreement to initiate the proceedings had been notified, the respondent submitted a letter of submissions on 25 May 2020, in which, in summary, it stated that "the The previous administrator posted a list on the notice board of the complainant by refusing to take notice of it that his debt was to be recorded in the land register so that it would remain recognized the same. This neighbour has 2 complaints filed and has never collected any notifications. Attached are the minutes of November 2015, which show all the steps that have been taken attempted by the former managers regarding the communication of the debt to the neighbour's happiness. Also attached are the minutes of the previous Administrator, Mr. Antonio Flores Palomo where this fact is recorded (recording the debt in the register) and my appointment is recorded in the minutes on 4th October 2019. The community documentation is delivered to me at the end October. Attached is a signed document with the collection of the community's documentation". This document indicates the name and surname of the claimant, as well as that she has a 3,542.27 debt. FIFTH: On 22 June 2020 the instructor of the procedure agreed to the opening of a trial period, with the incorporation of the preliminary investigation proceedings, E/10284/2019, as well as documents provided by the respondent. SIXTH: A motion for resolution was tabled on 1 July 2020, proposing that the R.R.R. OWNERS' COMMUNITY be sanctioned with a NIF ***NIF.1, for an infringement of Article 5(1)(f) of the GPRD, as defined in Article 83(5) of the GPRD, a fine of EUR 10 000 The proceedings in these proceedings and the The following documents have been accredited PROVEN FACTS FIRST: They have been published on the notice board of the community of owners claimed the personal identification data of the claimant (name, surname, floor and door) associated with a debt owed to the community, indicating of the financial amount due. SECOND: the community of neighbours complained about, states that the previous administrator posted a list on the bulletin board with the person's debt The applicant refused to take receipt of a notification that he was leaving to register their debt in the land register so that the same. LEGAL FOUNDATIONS I The Director of the Agency is competent to resolve this procedure Data Protection, in accordance with the provisions of Article 58.2 of the RGPD and in articles 47 and 48.1 of the LOPDGDD. II Article 6.1 of the RGPD, establishes the cases that allow to consider the processing of personal data is lawful. For its part, Article 5 of the RGPD establishes that personal data will be "(a) processed in a lawful, fair and transparent manner in relation to the data subject ("legality, fairness and transparency"); (b) collected for specified, explicit and legitimate purposes and not treated subsequently in a manner incompatible with those purposes; in accordance with Article 89, paragraph 1, the further processing of personal data for archiving purposes in public interest, scientific and historical research or statistical purposes are not will be considered incompatible with the initial purposes ("purpose limitation"); (c) adequate, relevant and limited to what is necessary in relation to the purposes for those who are processed ("data minimisation"); (d) accurate and, where necessary, updated; all measures shall be taken to delete or rectify without delay personal data that are inaccurate with respect to the purposes for which they are intended ("accuracy"); (e) maintained in such a way as to permit identification of the persons concerned for no longer than is necessary for the purposes of the processing personal; personal data may be kept for longer periods provided that they are processed exclusively for archiving purposes in the public interest, for scientific or historical research or statistical purposes, in accordance with Article 89(1), without prejudice to the implementation of technical and organisational measures This Regulation is designed to protect the rights and freedoms of the freedoms of the data subject ("limitation of the retention period"); (f) processed in such a way as to ensure appropriate security for the personal data, including protection against unauthorised or unlawful processing and against their accidental loss, destruction or damage, by implementing measures appropriate techniques or organisational arrangements ("integrity and confidentiality"). The controller is responsible for compliance with the provided for in paragraph 1 and capable of demonstrating it ("proactive responsibility"). III Although it is true that if the respondent is not aware of the restraining order of the cannot take any special precautions with your data, however, it will be you should bear in mind that for the display of personal data on a board of Community notices, it has to comply with a number of principles in order to not violate data protection regulations. As a means of personal and individualized notification to the owner, the Law of Horizontal Property, indicates the cases in which the exposure of data is authorised personal matters related to the management of the Community of Owners. Its article 9. h) indicates as the owner's obligation "Communicate to whoever exercises the functions of secretary of the community, by any means which allows to have a record of its reception, the domicile in Spain for the purposes of citations and notifications of all kinds related to the community. At Defect of this communication will be considered as an address for service the flat or premises belonging to the community, giving full legal effect to delivered to the occupant of the same. If a summons or notification to the If the owner is unable to practice it in the place mentioned in the previous paragraph, it will be shall be deemed to have been carried out by placing the corresponding communication in the community bulletin board, or in a visible place for general use set up by the with express due diligence as to the date and grounds on which it is form of notification, signed by the person acting as Secretary of the community, with the approval of the President. The notification practiced in this way shall produce full legal effects within three calendar days". Article 19.3 of the LPH, second paragraph, states: "The minutes of the meetings shall shall refer the owners in accordance with the procedure laid down in Article 9.” According to the evidence available, it is considered The public display of a document on the notice board of the community, showing the personal data of the claimant, and therefore it is understood that the entity complained of has violated Article 5.1(f) of the RGPD, which governs principles of integrity and confidentiality of personal data, as well as proactive responsibility of the data controller to demonstrate his compliance". IV Article 72.1.a) of the LOPDGDD states that "in accordance with the provisions Article 83(5) of Regulation (EU) 2016/679 are considered very serious and will be subject to a three-year limitation period for infringements involving a substantial breach of the articles mentioned in that one and, in particular, the following ones: a) The processing of personal data in violation of the principles and guarantees set out in Article 5 of Regulation (EU) 2016/679 V Article 58(2) of the GPRS provides: "Each supervisory authority shall have all of the following corrective powers listed below: b) sanction any person responsible for or in charge of the processing with warning where processing operations have infringed the provisions of this Regulation; (d) instruct the controller or processor to ensure that the processing operations treatment are in accordance with the provisions of this Regulation, where appropriate, in a certain way and within a specified time frame; (i) impose an administrative fine in accordance with Article 83, in addition to or in addition to place of the measures referred to in this paragraph, depending on the circumstances of each individual case; VI This infringement is punishable by a fine of up to or, in the case of an enterprise, an amount equivalent to a maximum of 4% of the total annual turnover for the previous financial year, opting for the in accordance with article 83.5 of the RGPD. Likewise, it is considered that the sanction to be imposed should be graduated in accordance with with the following criteria established in article 83.2 of the RGPD: The following are aggravating factors: In the present case we are dealing with unintentional but significant negligent action (Article 83.2 b) Basic personal identifiers are affected, according to the 83.2g) Therefore, in accordance with the applicable legislation and assessed on the basis of graduation of penalties whose existence has been established, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: TO IMPOSE R.R.R., with NIF ***NIF.1, for an infringement of Article 5.1.f) of the RGPD, typified in Article 83.5 of the RGPD, in relation to Article 72(1)(a) a fine of EUR 10 000 (TEN THOUSAND EUR). SECOND: TO NOTIFY THIS RESOLUTION TO THE COMMUNITY OF OWNERS R.R.R. THIRD: To warn the sanctioned party that he must make effective the sanction imposed once this decision becomes enforceable, in accordance with the provisions of Article 98.1.b) of Law 39/2015, of 1 October, on Administrative Procedure Commonwealth of Independent States (hereinafter LPACAP), within the payment period established in art. 68 of the General Regulations on Collection, approved by Royal Decree 939/2005, of 29 July, in relation to Article 62 of Law 58/2003, of 17 December, by means of its payment, indicating the tax identification number of the procedure set out in the heading of this document, in the account restricted No ES00 0000 0000 0000 0000, open on behalf of the Agency Spanish Data Protection in the bank CAIXABANK, S.A.. In case Otherwise, it will be collected during the enforcement period. Once notification has been received and once it has become enforceable, if the enforceability date The deadline for the completion of the registration process is between the 1st and 15th of each month, inclusive. voluntary payment will be until the 20th day of the following month or the next business day, and if is between the 16th and the last day of each month, inclusive, the deadline of Payment will be made until the 5th of the second following month or immediately thereafter. In accordance with the provisions of Article 50 of the LOPDGDD, the This Resolution will be made public after it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure according to art. 48.6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, the interested parties may lodge, on an optional basis, an appeal for reversal to the Director of the Spanish Data Protection Agency within a period of month from the day following notification of this resolution or directly contentious-administrative appeal to the Administrative Chamber of the Audiencia Nacional, in accordance with Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July 1998, regulating Contentious-Administrative Jurisdiction, within two months from day following notification of this act, as provided for in Article 46(1) of the referred to Law. Finally, it is pointed out that in accordance with the provisions of Article 90.3 a) of the LPACAP, the final decision may be suspended in administrative proceedings as a precautionary measure if the person concerned indicates his intention to lodge an administrative appeal. If this is the case, the interested party must formally communicate this made by writing to the Spanish Data Protection Agency,by submitting it through the Agency's Electronic Register [https://sedeagpd.gob.es/sede-electronica-web/], or through one of the other registrations provided for in Article 16.4 of the aforementioned Law 39/2015, of 1 October. Also must send to the Agency the documentation proving the effective intervention of the contentious-administrative appeal. If the Agency was not aware of the the lodging of the contentious-administrative appeal within two months of day following notification of this resolution, would terminate the precautionary suspension. Mar España Marti Director of the Spanish Data Protection Agency