AEPD (Spain) - PS/00136/2020
| AEPD - PS/00136/2020 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 6(1)(a) GDPR Article 6(1)(f) GDPR Article 6(1) GDPR Article 13 GDPR Article 14 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | 10.03.2021 |
| Fine: | 8000 EUR |
| Parties: | Filigrana Comunicación |
| National Case Number/Name: | PS/00136/2020 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Spanish |
| Original Source: | AEPD decision (in ES) |
| Initial Contributor: | n/a |
The Spanish Data Protection Authority (AEPD) fined Filigrana Comunicación with €8,000 for the infringement of Articles 6(1), 13 and 14 GDPR, as the company gathered and re-used data from the Andalusian Education Department without a legitimate basis, and they did not fulfill their information obligations.
English Summary
Facts
Filigrana Comunicación gathered public data from the Andalusian Education Department and re-posted them in their webpage. They did it without a legitimate basis, and they did not fulfill their information obligations, regarding both Article 14, about data obtained from a source different than the data subject (in this case, the Andalusian Education Department), and Article 13, regarding general information obligation.
Dispute
Can a company re-post public data in their webpage without a legitimate basis?
Holding
The fact that a public administration or body publish documents containing personal data does not mean that they are "open data". The fact that the data is accessible to anyone does not necessarily result in the lawfulness of processing without a basis from Article 6. Therefore, the AEPD considered that there has been an infringement of Article 6.1, entailing a fine of €2000.
Article 14 refers to the information that must be provided when the data have not been obtained directly from the data subject, as is the case. The fine for this infringement is €2000.
Article 13 specifies the information that must be provided to the data subject. In this case, the privacy policy does not provide the information about the data controller or about the rights to which the data subject is entitled. In addition, the company had a subscription form to their system, in which it is understood that consent is granted through the "acceptance" of the privacy policy. The privacy policy was not in line with the general information requirements. The fine for the violation of Article 13 is €4000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
