AEPD - PS/00048/2021
|AEPD - PS/00048/2021|
|Relevant Law:||Article 5 GDPR|
Article 6 GDPR
|Parties:||ASOCIACIÓN DETRABAJADORES PENITENCIARIOS TU ABANDONO ME PUEDE MATAR|
|National Case Number/Name:||PS/00048/2021|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD decision (in ES)|
The Spanish DPA (AEPD) imposed a warning on an association for the protection of prison workers for publishing personal data without consent on Twitter.
English Summary[edit | edit source]
Facts[edit | edit source]
An association for the protection of prison workers published on Twitter a settlement proceedings documents in which the address of the claimant could be seen. The picture of it received several retweets so it reached a high amount of people. It was, however, deleted 15 minutes after its publication.
Dispute[edit | edit source]
Is this behaviour in line with Articles 5 and 6 GDPR?
Holding[edit | edit source]
The AEPD held that publishing personal data on Twitter without the consent of the claimant is a violation of Article 6 GDPR, due to the lack of consent, in relation with Article 5 GDPR, that is infringed due to the violation of the principle of confidentiality. The AEPD imposed a warning to the association.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/6 Procedure No.: PS / 00048/2021 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following: BACKGROUND FIRST: D. A.A.A. in the name and on behalf of Ms. B.B.B. (hereinafter, the claimant) on August 5, 2019 filed a claim with the Agency Spanish Data Protection. The claim is directed against the ASSOCIATION OF PENITENTIARY WORKERS YOUR ABANDONMENT CAN KILL ME with NIF G88300991 (hereinafter, the claimed one). The claimant states: “that on August 2, 2018, the defendant proceeded to disseminate through the social network Twitter a copy of an alleged demand for an act of conciliation that would have been filed with the claimant. This request includes your personal data including your home address. that it is not a public data or accessible to third parties. Due to her work, the claimant is a public person, not her domicile, and the disclosure of said data. The dissemination of the data has been massive as reflected by the number of retweets and favorites that tweet in question ”. And, it provides the following documentation, among others: The document published in Twitter, which contains the home address of the claimant. SECOND: In view of the facts stated, on October 1, 2019 and on the 14th of the same month and year, the claim for the claimed report: 1. “The decision taken regarding this claim. 1. In the event of exercising the rights regulated in articles 15 to 22 of the RGPD, accreditation of the response provided to the claimant. 2. Report on the causes that have motivated the incidence that has originated the claim. 3. Report on the measures adopted to prevent incidents from occurring similar, implementation dates and controls carried out to verify their effectiveness. 4. Any other that you consider relevant. " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/6 Thus, on October 12, 2019, the notification service electronic, returned the aforementioned notification, as the deadline for putting into disposition and on November 8, 2019, it was returned by the postal service, by said shipment not to be withdrawn from the post office. THIRD: On January 18, 2021, the respondent states: “that my constituents withdrew from their Twitter account the document published in a immediate, not being the same on the network for more than 15 minutes, being published by error, error that once warned caused the immediate withdrawal of the publication, fact which is easily verifiable by the Agency to which I am writing, leaving no trace of any kind of networks, nor of the data, nor of the content of the conciliation published by mistake, a fact that caused the complainant not to suffer any damage ”. FOURTH: On February 18, 2021, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure against the ASSOCIATION OF PENITENTIARY WORKERS YOUR ABANDONMENT CAN KILL ME, for the alleged violation of Article 6 of the RGPD, typified in Article 83.5 a) of the RGPD in relation to article 72.1 b) of the LOPDGDD. FIFTH: The Agreement to Initiate Sanctioning Procedure, was notified to the entity claimed electronically, the date of making available being February 19 of 2021, as evidenced by the certificate issued by the FNMT that works in the proceedings. SIXTH: Formally notified of the initiation agreement, the respondent has submitted brief of allegations on March 4, 2021, stating: “We must declare that my constituents removed from their Twitter account the published document of immediately, not being the same on the network for more than 15 minutes, being published by mistake, an error that once noticed, caused the immediate withdrawal of the publication, leaving no trace of any kind on the networks, neither of the data, nor of the content of the conciliation published by mistake, a fact that motivated the complainant would not suffer any harm. Therefore, having recognized the facts and not having any previous sanction, taking into account the principle of proportionality and seriousness of what happened and the rapid correction made, we request in application of art. 148 of the RGPD that the sanction remain in a warning, showing our deepest regret for what happened, not being our intention to cause harm to anyone, since everything is It was due to an inadvertent error. We request: that they consider the facts to be recognized and if they consider that the action is reprehensible, we request that taking into account the principles of seriousness and proportionality, the sanction imposed on us is a Warning ”. In view of all the actions, by the Spanish Protection Agency of Data in this procedure the following are considered proven facts: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/6 PROVEN FACTS FIRST: It is on record that on August 2, 2018, the respondent proceeded to disseminate by the social network Twitter a copy of an alleged demand for an act of conciliation that would have been brought against the claimant. The aforementioned claim includes the personal data of the claimant including your home address, which is not public data or accessible to third parties. Due to her work, the claimant is a public person, not her domicile, and the disclosure of said data. The dissemination of the data has been massive as reflected by the number of retweets and favorites that tweet in question. SECOND: On March 4, 2021, the party claimed in its brief of Allegations acknowledges the facts and agrees with the sanction imposed. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each control authority, and as established in arts. 47 and 48.1 of the LOPDPGDD, the Director of the Spanish Data Protection Agency is competent to resolve this procedure. II Article 6.1 of the RGPD, establishes the assumptions that allow considering lawful processing of personal data. For its part, article 5 of the RGPD establishes that personal data will be: "A) treated in a lawful, loyal and transparent manner in relation to the interested party ("Lawfulness, fairness and transparency"); b) collected for specific, explicit and legitimate purposes, and will not be processed subsequently in a manner incompatible with said purposes; in accordance with article 89, section 1, the subsequent processing of personal data for archiving purposes in public interest, scientific and historical research purposes or statistical purposes are not deemed incompatible with the original purposes ("purpose limitation"); c) adequate, relevant and limited to what is necessary in relation to the purposes for those who are processed ("data minimization"); C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/6 d) accurate and, if necessary, up-to-date; all measures will be taken reasonable so that the personal data that are inaccurate with respect to the purposes for which they are processed ("accuracy"); e) maintained in a way that allows the identification of the interested parties for no longer than is necessary for the purposes of data processing personal; personal data may be kept for longer periods provided that they are treated exclusively for archival purposes in the public interest, purposes of scientific or historical research or statistical purposes, in accordance with article 89, paragraph 1, without prejudice to the application of technical and organizational measures appropriate measures imposed by this Regulation in order to protect the rights and freedoms of the interested party ("limitation of the conservation period"); f) treated in such a way as to guarantee adequate security of the personal data, including protection against unauthorized or illegal processing and against their loss, destruction or accidental damage, by applying measures appropriate technical or organizational ("integrity and confidentiality"). The person responsible for the treatment will be responsible for compliance with the provided for in section 1 and capable of demonstrating it ("proactive responsibility"). " III According to the available evidence, it is considered proven that on August 2, 2018, the respondent proceeded to disseminate through the social network Twitter an alleged lawsuit for a conciliation act that would have been filed against the claimant where their personal data were included, including their home address. Therefore, it is found that the complainant spread the message on the social network home of the claimant, and therefore is responsible for the violation of confidentiality when disseminating said data, so it is considered that has violated article 6.1 due to an illicit treatment of the personal data of the claimant, in relation to article 5.1 f) of the RGPD, which governs the principles of integrity and confidentiality of personal data, as well as responsibility proactive of the controller to demonstrate compliance. IV Article 83.5 a) of the RGPD, considers that the infringement of “the basic principles costs for the treatment, including the conditions for consent under the Articles 5, 6, 7 and 9 ”is punishable, in accordance with section 5 of the aforementioned article. Article 83 of the aforementioned Regulation, with administrative fines of € 20,000,000 at most mo or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the of greater amount. " Article 58.2 of the RGPD indicates: "Each control authority will have all the following corrective powers listed below: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/6 b) punish any person responsible or in charge of the treatment with warning when the processing operations have infringed the provisions of this Re- regulation; d) order the person in charge of the treatment that the operations of treatment comply with the provisions of this Regulation, where appropriate, in a certain way and within a specified time. " Recital 148 points out: "In the event of a minor offense, or if the fine that is likely to be imposed would constitute a disproportionate burden for an individual, rather than sanction by fine may be imposed a warning. It must however pay special attention to the nature, severity and duration of the offense, to its intentional nature, to the measures taken to alleviate the damages suffered, the degree of responsibility or any relevant prior infringement, the way in which that the supervisory authority has had knowledge of the infringement, to the fulfillment of measures ordered against the person in charge or in charge, to the adherence to codes of conduct and any other aggravating or mitigating circumstance. " There are no penalties preceding the claimed, the activity of the claimed It is not the usual data processing, nor was it intended to obtain benefits. The respondent has recognized this error, and it is clear that she withdrew from her Twitter the document posted immediately. V Formally notified of the initiation agreement, the complainant has submitted a written of allegations on March 4, 2021, stating: “We must state that my constituents withdrew from their Twitter account the document published in a immediate, not being the same on the network for more than 15 minutes, being published by error, error that once warned, caused the immediate withdrawal of the publication, no leaving a trace of any kind on the networks, neither of the data, nor of the content of the conciliation published by mistake, a fact that caused the complainant not to suffer no harm. Therefore, having recognized the facts and not having any previous sanction, taking into account the principle of proportionality and seriousness of what happened and the rapid correction made, we request in application of art. 148 of the RGPD that the sanction remain in a warning, showing our deepest regret for what happened, not being our intention to cause harm to anyone, since everything is It was due to an inadvertent error. We request: that they consider the facts to be recognized and if they consider that the action is reprehensible, we request that taking into account the principles of seriousness and proportionality, the sanction imposed on us is a Warning ”. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/6 Article 85 of Law 39/2015, of October 1, on the Procedure Common Administrative of Public Administrations (hereinafter, LPACAP), under the heading "Termination of sanctioning procedures" provides the following: "one. Initiated a sanctioning procedure, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the sanction that proceeds ”. In accordance with the above, the Director of the Spanish Agency for the Protection of Data RESOLVES: FIRST: IMPOSE THE ASSOCIATION OF PENITENTIARY WORKERS YOUR ABANDONMENT CAN KILL ME, with NIF G88300991, for an infraction of the article 6 of the RGPD, typified in article 83.5.a) of the RGPD, a warning sanction. SECOND: NOTIFY this resolution to ASSOCIATION OF WORKERS PENITENTIARIES YOUR ABANDONMENT CAN KILL ME, with NIF G88300991 In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the referred Law. Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es