AEPD - PS/00113/2019
|AEPD - PS/00113/2019|
|Relevant Law:||Article 5(1)(a) GDPR|
Article 58(2)(b) GDPR
|National Case Number/Name:||PS/00113/2019|
|European Case Law Identifier:||n/a|
|Original Source:||aepd.es (in ES)|
|Initial Contributor:||Pablo Rossi|
AEPD imposes a warning sanction on a municipality officer for infringement of Article 5.1(a) GDPR. An administrative request that the complainant had submitted to the municipality was published in a public Facebook group with more than 2000 followers.
English Summary[edit | edit source]
Facts[edit | edit source]
In a public group on Facebook, the respondent posted for two hours an administrative instance of the complainant, where his name, surname and claims could be visualized. The respondent (a public official) justifies his action by the fact that this Facebook page serves as a forum for discussion and response to questions of public interest raised by the neighbors. In this case, he published the administrative instance of the claimant to confront it with the version of a rival political party, considering that this was necessary for reasons of public interest.
Dispute[edit | edit source]
Can the actions on behalf of the claimant (publication in a public Facebook group of an administrative instance) be legitimised for reasons of public interest and transparency?
Holding[edit | edit source]
Firstly, the AEPD considered that the administrative instance presented by the claimant contains data whose management and custody is the responsibility of the city council, and whose nature and destination is not the dissemination for knowledge of third parties in a Facebook account. Therefore, transparency issues must be solved through the instruments specifically determined in the law, in no case through Facebook. They also considered that the fact that the complainant has an establishment open to the public, or is known in the area, is irrelevant for data protection purposes. Finally, it was considered that the actions had been carried out in a private manner by the claimant, escaping the circle of responsibility of the municipality.
In view of the above, it was considered that the claimed person did not have a lawful basis for the processing of personal data, and was therefore considered to be unlawful. In this sense, the defendant was charged with an infringement of Article 5.1 f) of the GDPR, since the defendant did not act within the local institutional framework, which is the one required to take security measures, but rather in a personal manner on the social network Facebook.
In view of the above, AEPD decided to impose on the defendant for an infringement of Article 5(1)(a) GDPR a warning penalty in accordance with Article 58(2)(b) GDPR.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
• Procedure Nº: PS / 00113/2019 938-090320 RESOLUTION OF PENALTY PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on the following BACKGROUND FIRST: AAA ( hereinafter, the claimant) on 10/19/2018 filed a claim with the Spanish Agency for Data Protection. The reasons on which you base the claim are that BBB, *** CHARGE.1 of *** LOCALITY. 1, Posted 10/11/2018 at 12:01 " from your personal FACEBOOK account and in a public group "" called WE ARE FROM *** LOCALITY. 1 "," which as of the date of this writing has 2,179 followers ”(*** URL.1) in your particular profile (*** URL.2) an administrative instance that the claimant had presented to the City Council on 01/17/2018 " " In that letter (on request for action on a road next to your home) all my personal data (name and surname, full address, etc.) are perfectly identified, as well as the claim pursued. Airing through social networks, by himself *** CHARGE.1, when its knowledge and resolution should have been forbidden to the persons involved in an administrative file of that nature " It states that: - " … All the members of that public group of that social network had access to my personal data and the content of the document that I had presented at the offices of the *** City Council LOCALITY. 1 " - " At 2:49 p.m. that day, Mr. BBB, Knowing perfectly that he had committed this irregularity, he erased that first document and replaced it with a partial copy of it, where these personal data are no longer distinguished. I want to expressly state that in no way have I authorized this second publication either, and that this writing was made by me to make a request to the City Council and in no case for Mr. BBB make particular and political use of it, in a private capacity in a public and open network. " SECOND: In view of the facts stated, the claim was transferred to the defendant, BBB, *** Town Hall LOCALITY. 1, to report: one. Clear specification of the causes that have led to the incident that has given rise to the claim. two. Details of the measures adopted by the person in charge to solve the incident and to avoid new incidents such as the one set out. 3. Documentation proving that the right of the claimant to be informed about the course and result of this claim has been met. C / Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 2/8 The data protection delegate of the City Council answered on 02/15/2019, stating that the presentation of the document with the data was made by the natural person of BBB, and that the City Council or the position has no responsibility or significance whatsoever not representing the local entity, considering that it did so as a neighbor. On the measures to take is: - Suggest that the respondent cease their activity on the social network or do so in a personal capacity without publishing documents that may mislead the information about their nature or origin. - That the complainant send a letter of apology to the complainant indicating the nature of his publications. - Training in relation to the new data protection regulations, especially for people who have to disseminate information on networks and other dissemination channels. As for whether the claimant has been informed of the adopted resolution, they provide a copy of the letter they send him, on behalf of the city council, specifying that it has no responsibility in the case. THIRD: On 02/26/2019, the Director of the AEPD agrees to admit the claim for processing. FOURTH: On 11/28/2019, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure for APERCIBIMENTO to BBB, for the alleged violation of Article 5.1.f) of the RGPD, in relation to article 5 of the LOPDGDD, as indicated in article 83.5 a) of the RGPD. FIFTH: Once the aforementioned initiation agreement was notified, the defendant presented a brief of allegations in which, in summary, he states: one) The social community claimed the installation of a mirror on the regional highway in front of the * * * LOCALITY. 2, as a request from the councilors themselves made on 03/01/2018. Attach impression of that manifestation, which is not visible. It indicates that "p To clarify this untrue manifestation, the claimant's data was exposed. " two) " The exposition is considered legitimate because the road safety action, of public interest, had its origin in the instance of the claimant ”, Which also owns the aforementioned bowling alley and a bar open to the public. " The claimant's data are public, notorious data, and correspond to a hotel facility open to the public. The performance of said facility was a matter of public interest. " 3) The page "*** PAGE 1 " on Facebook " of my particular profile " is a " vehicle of transparency in my management as *** CHARGE.1 in front of the City Council of * * * LOCALITY. 1 "," due to its nature as a public group in which I try to respond to the questions of public interest raised by the residents of Penagos, and to be Days before, on 10/9/2018, the Political Group of the PP of *** LOCALITY. 1 in said network C / Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 3/8 a forum for debate and exposition of ideas regarding the needs of the population of the municipality and the information that may be of public interest around the municipality ”. SIXTH: On 03/05/2020, a resolution proposal was formulated, proposing “ That the Director of the Spanish Agency for Data Protection sanction with APERCIBIMIENTO to BBB, for an infringement of article 5.1.a) of the RGPD, as indicated in article 83.5 a) and 58.2.a) of the RGPD. " No allegations were received within the term granted. PROVEN FACTS one) The claimant filed an instance with the claimed City Council on 01/17/2018 on request for action in a road next to your home. two) In the private account and personal of the claimed FACEBOOK, in a public group "" called WE ARE FROM *** LOCALITY. 1 ”, (*** URL.1) in your particular profile (*** URL.2) the defendant exposed on 10/11/2018 from 12:01 a.m. to 2:49 p.m., the claimant's instance of 01/17/2018 containing name and surname, full address, and the request for the installation of a road element. 3) The defendant justifies the treatment that said FACEBOOK page serves as a forum for discussion and response to questions of public interest raised by residents of * * * LOCALITY. 1, forum for debate and presentation of ideas regarding the needs of the municipality's population, with information that may be of public interest around the municipality. 4) The defendant who exposed on FACEBOOK the complete petition of the claimant with their data adds to counteract the manifestations of the PP political group that claimed the initiative of having requested the installation of a mirror in a vial, in March 2018 when it was the claimant in an earlier petition filed with the City Council which initiated it. The complainant considers that full knowledge of the claimant's data that appeared in that request of 01/17/2018 was necessary because it was considered to be of public interest and that the data was known because he is the owner of a hospitality establishment. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each control authority, and as established in articles 47 and 48 of the LOPDGDD, the Director of the Spanish Agency for Data Protection is competent to initiate and resolve this process. C / Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 4/8 II The RGPD defines in its article 4: one) " personal data ": any information about an identified or identifiable natural person (" the interested party "); An identifiable natural person shall be considered any person whose identity can be determined, directly or indirectly, in particular by means of an identifier, such as a name, an identification number, location data, an online identifier or one or more elements of identity. physical, physiological, genetic, psychic, economic, cultural or social of said person; " two) " treatment »: any operation or set of operations carried out on personal data or sets of personal data, whether by automated procedures or not, such as collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, broadcast or any other form of enabling access, collation or interconnection, limitation, deletion or destruction; 4) "file": any structured set of personal data, accessible according to certain criteria, whether centralized, decentralized or distributed in a functional or geographical way; 7) "controller" or "controller": the natural or legal person, authority, service or other body that, alone or together with others, determines the purposes and means of processing; If the law of the Union or of the Member States determines the purposes and means of the treatment, the controller or the specific criteria for their appointment may be established by the law of the Union or of the Member States; 10) "third party": natural or legal person, authority, service or body other than the interested party, the data controller, the data controller and the persons authorized to process the personal data under the direct authority of the controller or processor; " The fundamental right to data protection seeks to guarantee its owner a power of control over their personal data, its use and destination, in order to prevent its illicit traffic and harmful to the dignity and right of the affected person. The document submitted by the claimant to the City Council contains data whose management and custody is the City Council, his character and destiny are not the dissemination for the knowledge of third parties, in a particular FACEBOOK account, but the attention of the City Council, competent for the management of the matter that the claimant urged. As *** CHARGE.1, in his position, this person, who is also the one claimed, may have access to said document, but it is proven that he makes a merely private use to answer a statement from another political group in his private FACEBOOK account, without any reference to the City Council or political group. Transparency issues, if they are related to the active advertising to be exhibited, must be through the instruments specifically determined in the regulations, with the corresponding requirements, not being foreseen in any case that official disclosure in the bosom of FACEBOOK. C / Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 5/8 In addition, the presentation of an instance by an individual to undertake specific actions does not fall within the matters that must be fully exposed as active transparency, including the personal data of the petitioner as it is not proportional to the purpose, adequate, or pertinent, even if you have a bar or run a business open to the public, or are known for it. In this case, the data was linked to an instance that is registered with the City Council because it is a matter of its competence, not for the use of the claimed in a particular medium when it has deemed it appropriate, for which it has no competence or powers. If what the defendant wanted was to reply that the initiative on the road action had been of an individual, the treatment of their data on said platform is not proportional or adequate nor does it comply with regulations, for example, having crossed out data without being visible any identifying element. The fact that the claimant has an establishment open to the public, or that it is known in the area, is indistinct for data protection purposes since the complainant provides their data for a purpose in a specific public matter. The fact is that these data are subject to the own reserve conferred by the office of administrative affairs, not for dissemination and comments with other participants. The private use of the claimed is beyond the circle of responsibility of the City Council as a public entity. It seems clear that the *** CHARGE.1 You cannot use the data of third parties to defend your performance or management in a social network at a particular level, which has nothing to do with said issue or with the official transparency system by which your activity is to be manifested. It follows that the exclusive will of the complained party has intervened in the access and disposition of the document obtained and disclosed, who technically treats it through the FACEBOOK platform, and as a result of this, third-party knowledge of their data is produced that is not it must have given, nor was it otherwise expected by the claimant. The social network FACEBOOK is an automated data platform, being at the time of the facts, the claimed one who used it as a tool for disseminating information. The fact that you use the platform offered to enjoy the services associated with it does not exempt you from complying with the data protection regulations as the person responsible for the treatment you have carried out. It is concluded that the defendant carries out data processing with an instance that had access to the city council on a road safety issue, and without the consent of the owner of the data, and with the consequent surprise, his data was exposed of any expectation. In the present case, the freedom of expression of the claimed party, who additionally held the status of *** CHARGE.1 At that time, it could have also materialized without disclosing the complete data of the claimant. The use of the social platform for informational, political or social purposes does not apply the exemption of “ domestic environment ”. In this case, the user, the claimed party assumes full responsibility for a data controller who reveals personal data to C / Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 6/8 another data controller (SERVICIO DE RED SOCIAL, SRS) and third parties (other SRS users or even, potentially, other data controllers who have access to them). In such circumstances, the user would need the consent of the aforementioned interested person, or another legitimate basis that appears in article 6.1 of the RGPD. In the present case, the expressions of a private title of the claimed person do not respond to an action subject to administrative law, since he did not act by displaying any competence that is attributed to him by the norm in this regard, but rather in an informal way, issuing opinions and lawsuits, accompanied by the instance that the claimant presented in the past, making a favorable use of him to refute what another political group said. Because the installation of the road element, the object, is in the public interest, the data of the petitioner, claimant, must not therefore be sacrificed and exposed, and the reason for treatment of public interest cannot succeed. The claimed person, acting in a private capacity, lacks a legitimate basis for the treatment he has carried out, considering it not lawful, as it is not supported by any legitimate basis contained in any of the points of article 6.1.a) to f) of the RGPD In this sense, the proposal proceeded to vary the imputation to the defendant of the infringement of article 5.1.f) of the RGPD, because the defendant did not act in this case in the local institutional framework, which is the one that is required to take security measures, and arise, not within the powers and organization of the city council, but in a private capacity in the social network FACEBOOK from your personal account, using your particular profile. Not proving that the complainant has an enabling title for the processing of data under any perspective of article 6.1 of the RGPD, or specific reason for the aforementioned treatment carried out, it is considered that the infringement falls within the article 5.1.a) of the RGPD which indicates: The personal data will be: a) treated in a lawful, loyal and transparent manner in relation to the interested party ("lawfulness, loyalty and transparency »); It also contributes to this classification, that in addition, the data is not treated in a fair manner when it is presented in a public registry and is extracted, publishing it in a private system such as FACEBOOK, for particular uses that the claimed person exercises. The defendant should have considered whether the use that he was going to give said data confronts with the loyalty in the use of the same as soon as they were given for a very specific purpose, without the invasion of the claimant's right being justified. The brief presented by the claimant in January 2018 as a matter to be managed, is capable of identifying its signer through the data that is contained, either on paper or in electronic format. That document, after nine months, could be that with the matter already resolved or started, it is uploaded to a platform such as FACEBOOK, The respondent should not use management documents, of a public nature, on a particular page and through a platform to which anyone can have access to know the claimant's data. C / Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 7/8 As for the own use of FACEBOOK, the main rule of use, especially of a public position, is as a general rule not to expose in a social network in a private capacity personal data of citizens referring to the presentation of their requests that identify or identify them. make identifiable. III Article 83.5 a) of the RGPD, considers that the violation of “The basic principles for the treatment, including the conditions for consent in accordance with articles 5, 6, 7 and 9 ”is punishable, with administrative fines of a maximum of € 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for by the one with the highest amount. " Article 58.2 of the RGPD indicates: " Each supervisory authority shall have all of the following corrective powers indicated below: b) punish any person responsible or in charge of the treatment with warning when the processing operations have infringed the provisions of this Regulation; d) order the person in charge of the treatment that the processing operations they comply with the provisions of this Regulation, where appropriate, in a certain way and within a specified period; Recital 148 of the RGPD indicates that in order to impose the appropriate corrective measure, special attention must be paid to the nature, seriousness and duration of the infraction, or to any relevant previous infraction, and to any other aggravating or mitigating circumstance. For natural persons, instead of a fine, a warning can be imposed. In this case, the disclosure of the data takes place for just three hours, applying the warning measure. Therefore, in accordance with the applicable legislation and proving the existence of the infringement, the Director of the Spanish Agency for Data Protection RESOLVES: FIRST: IMPOSE BBB, for an infraction of article 5.1.a) of the RGPD, as indicated in article 83.5a) of the RGPD, a sanction of APPEARANCE, in accordance with article 58.2.b) of the RGPD. SECOND: NOTIFY this resolution to BBB THIRD: In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure pursuant to art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a period of one month from the day following notification of this resolution or directly administrative contentious appeal before the Contentious-Administrative Chamber of the National Court, with C / Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 8/8 pursuant to the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the following day upon notification of this act, as provided in article 46.1 of the aforementioned Law.