| AEPD - PS/00143/2020 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(f) GDPR Article 19(3) Law on Horizontal Properties Article 9(1)(h) Law on Horizontal Properties |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 21.10.2020 |
| Published: | 23.10.2020 |
| Fine: | None |
| Parties: | n/a |
| National Case Number/Name: | PS/00143/2020 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | n/a |
The Spanish DPA (AEPD) held that posting the name and outstanding debt of the claimant on a public notice board was in violation of Article 5(1)(f) GDPR.
English Summary
Facts
The claimant's personal data was written on a notification document posted on a public notice board. The notification document was posted by the defendant (the neighbourhood community) as a call for the claimant to attend a General Assembly meeting. The notification document included the claimant's name and an outstanding debt of €286,81 in his name.
The defendant claimed that notifying via the public notice board was standard practice since 2014 as well as notifying through a more direct means of communication (such as ordinary mail or 'burofax'). The defendant claimed that it had not notified the defendant via a more direct means of communication as this notification would not have arrived on time.
Dispute
Is posting a data subject's name and outstanding debt on a public notice board in breach of Article 5(1)(f) GDPR?
Holding
The Spanish DPA held that the defendant cannot rely on the argument that the notification would arrive too late using burofax. The defendant could just send the notification earlier.
The DPA nonetheless outlined that notification via notification on the public notice board was authorised by virtue of Article 9(1)(h) of the Law on Horizontal Properties ("Ley de Propiedad Horizontal"). However, it also held that publishing the claimant's personal data on a public notice board was in breach of Article 5(1)(f) GDPR ("integrity and confidentiality").
Therefore, the Spanish DPA held that there was an infringement of the GDPR. It imposed a warning sanction on the neighbourhood community.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
Page 1
1/6
Procedure No.: PS / 00143/2020
RESOLUTION OF SANCTIONING PROCEDURE
Of the procedure instructed by the Spanish Agency for Data Protection and
based on the following
BACKGROUND
FIRST: AAA (hereinafter, the claimant) on April 12, 2019 filed
claim before the Spanish Agency for Data Protection. The claim is
directed against COMMUNITY OF OWNERS RRR with NIF *** NIF.1 (hereinafter,
the claimed).
The reasons on which the claim is based are that the administrator, BBB , mailed to
all owners the annual meeting call and at the same time exposed in the
community notice board, the main sheet of the call with data
relating to outstanding debts, which were to be discussed in the
aforementioned meeting.
And, among others, attach the following documentation:
Copy of the minutes of the ordinary meeting of 03/21/2019 where it appears:
o In the "Settlement pending debt" section, the complainant
with an amount of € 286.81.
o That the complainant is informed that the placement of the call
on the notice board has been the only way to carry out the
reliable notification.
Photograph of the call to the Ordinary General Meeting session to be held
on March 21, 2019 from the COMMUNITY OF OWNERS RRR,
located on a bulletin board. In said call it appears, within the
section of the debt, the name and surname of the complainant along with the amount
of € 286.81.
SECOND: On May 9, 2019, the complaint was transferred to
COMMUNITY OF OWNERS RRR , in the actions with reference
E / 04557/2019. The notification is made electronically through notific @.
According to this notification system, the automatic rejection has occurred when
ten calendar days have elapsed since it was made available and not proceed to its
reading.
THIRD: On June 5, 2020, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure to the claimed, by the
alleged violation of Article 5.1.f) of the RGPD, typified in Article 83.5 of the
RGPD.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 2
2/6
FOURTH: On August 29, 2020, a resolution proposal was formulated,
proposing that it be imposed on the COMMUNITY OF OWNERS RRR , with NIF
*** NIF. 1 , for an infringement of article 5.1.f) of the RGPD, typified in article 83.5
of the RGPD, a warning sanction.
In view of all the actions, by the Spanish Protection Agency
of Data in this procedure the following are considered proven facts,
ACTS
FIRST: Publication on the notice board of the claimed community, the debt
of the claimant together with his name and surname.
SECOND: The claimed neighborhood community states that since 2014
communications are made through mailboxes, postal mail, email and
notice board for three days.
The document in which the claimant's data works is the call for the
Meeting of the Ordinary General Meeting on March 21, 2019.
The summons to said neighbors meeting was held between March 12 and 13,
2019, so the bulletin board was chosen as a means of communication for
ensure that all summoned attended.
FOUNDATIONS OF LAW
I
By virtue of the powers that article 58.2 of the RGPD recognizes to each
control authority, and as established in arts. 47 and 48.1 of the LOPDGDD, the
Director of the Spanish Agency for Data Protection is competent to resolve
this procedure.
II
Article 6.1 of the RGPD establishes the assumptions that allow considering
lawful processing of personal data.
For its part, article 5 of the RGPD establishes that personal data will be:
"A) treated in a lawful, loyal and transparent manner in relation to the interested party
("Lawfulness, fairness and transparency");
b) collected for specific, explicit and legitimate purposes, and will not be processed
subsequently in a manner incompatible with said purposes; in accordance with article 89,
section 1, the further processing of personal data for archiving purposes in
public interest, scientific and historical research purposes or statistical purposes are not
deemed incompatible with the original purposes ("purpose limitation");
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 3
3/6
c) adequate, relevant and limited to what is necessary in relation to the purposes
for those who are processed ("data minimization");
d) accurate and, if necessary, updated; all measures will be taken
reasonable so that the personal data that
are inaccurate with respect to the purposes for which they are processed ("accuracy");
e) maintained in a way that allows the identification of the interested parties
for no longer than is necessary for the purposes of data processing
personal; personal data may be kept for longer periods
provided that they are treated exclusively for archival purposes in the public interest,
scientific or historical research or statistical purposes, in accordance with article
89, paragraph 1, without prejudice to the application of technical and organizational measures
appropriate measures imposed by this Regulation in order to protect the rights and
freedoms of the interested party ("limitation of the conservation period");
f) treated in such a way as to guarantee adequate security for the
personal data, including protection against unauthorized or illegal processing and
against their loss, destruction or accidental damage, by applying measures
appropriate technical or organizational ("integrity and confidentiality").
The person responsible for the treatment will be responsible for compliance with the
provided for in section 1 and capable of demonstrating it ("proactive responsibility"). "
III
In the present case, it has been verified that in the convocation of the
Ordinary General Meeting to be held on March 21, 2019 of the COMMUNITY OF
OWNERS RRR, located on a notice board, consists, within the
section of the debt, the name and surname of the claimant together with the amount of
€ 286.81.
The claimed neighborhood community states that since 2014 the
distribution of the call is made by mailing to the owners
residents in the property, sending by ordinary mail to non-resident owners
in Calanda 19, by email to all the owners who so requested and
by placing it on the bulletin board surface for three days.
In addition, notifications that require it are sent through burofax
with delivery notification and content certificate. However, the claimant
He usually claims that he does not receive the notifications that the rest of the neighbors do
receive with ordinary character.
The defendant justifies his action by noting that as the call for the
Meeting of the Ordinary General Meeting of March 21, 2019 was held between
March 12 and 13, 2019, and the maximum period to collect a burofax is 30 days and
this owner always usually runs out of time, the probability that it was not
notified in time said call, was very high.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 4
4/6
This argument is not in accordance with the law, since, if the
claimed decides to notify by burofax, the denounced facts would be solved,
simply issuing said communication with enough time for the
claimant receives it.
Also note that as a means of personal and individualized notification to the
owner, the Horizontal Property Law, indicates the assumptions in which the
exposure of personal data related to matters derived from the
management of the Community of Owners. Its article 9. h) indicates as an obligation of the
owner “Communicate to whoever exercises the functions of secretary of the community,
any means that allows proof of receipt, the address in Spain
for the purposes of citations and notifications of all kinds related to the community.
In the absence of this communication, the address will be for citations and
notifications of the apartment or premises belonging to the community, having full effect
those delivered to the occupant thereof. If you attempted a subpoena or notification
it was impossible for the owner to practice it in the place provided in the previous paragraph,
It will be understood as carried out by placing the corresponding communication in
the community bulletin board, or in a visible place of general use enabled by
effect, with expressive diligence of the date and reasons why this
notification form, signed by whoever exercises the functions of Secretary of the
community, with the approval of the President. The notification practiced in this way
it will produce full legal effects within a period of three calendar days ”.
Article 19.3 of the LPH, second paragraph, indicates: " The minutes of the meetings are
will forward to the owners in accordance with the procedure established in article
9. "
According to the available evidence, it is considered
proven the public exposure of a document on the notice board of the aforementioned
community, showing the claimant's personal data, and therefore it is understood that
the claimed entity has violated article 5.1 f) of the RGPD, which governs the principles
integrity and confidentiality of personal data, as well as responsibility
proactive of the person in charge of the treatment to demonstrate its fulfillment ”.
IV
Article 72.1.a) of the LOPDGDD states that “ depending on what is established
Article 83.5 of Regulation (EU) 2016/679 are considered very serious and
The infractions that suppose a substantial violation will prescribe after three years
of the articles mentioned therein and, in particular, the following:
a) The processing of personal data violating the principles and guarantees
established in article 5 of Regulation (EU) 2016/679
V
Article 58.2 of the RGPD provides the following: “Each control authority
will have all of the following corrective powers listed below:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 5
5/6
b) sanction any person responsible or in charge of the treatment with
warning when the processing operations have violated the provisions of
these Regulations;
d) order the person in charge of the treatment that the operations of
treatment are in accordance with the provisions of this Regulation, where appropriate,
in a certain way and within a specified time;
i) impose an administrative fine in accordance with article 83, in addition or in
place of the measures mentioned in this section, depending on the circumstances
of each particular case;
The art. 83.5 of the RGPD establishes that the infractions that
affect:
“A) the basic principles for the treatment, including the conditions for
consent in accordance with articles 5, 6, 7 and 9;
b) the rights of the interested parties in accordance with articles 12 to 22. "
SAW
On the other hand, article 83.7 of the RGPD provides that, without prejudice to the
corrective powers of the control authorities pursuant to art. 58, paragraph 2,
Each Member State may lay down rules on whether and to what extent it is possible to
impose administrative fines on authorities and public bodies established in
that Member State.
In view of the above, the following is issued
Therefore, in accordance with the applicable legislation and the criteria of
graduation of sanctions whose existence has been proven,
the Director of the Spanish Agency for Data Protection RESOLVES:
FIRST: IMPOSE the COMMUNITY OF OWNERS RRR , with NIF *** NIF.1 ,
for an infraction of Article 5.1.f) of the RGPD, typified in Article 83.5 of the RGPD,
a warning sanction.
SECOND: REQUIRE the claimed party to accredit within one month
before this body the compliance that proceeds to the adoption of all the
measures necessary for the respondent to act in accordance with the principles of
"Integrity and confidentiality" of art. 5.1 f) of the RGPD.
THIRD: NOTIFY this resolution to the COMMUNITY OF OWNERS
RRR .
In accordance with the provisions of article 50 of the LOPDGDD, the
This Resolution will be made public once it has been notified to the interested parties.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 6
6/6
Against this resolution, which ends the administrative procedure in accordance with art.
48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the
LPACAP, the interested parties may optionally file an appeal for reversal
before the Director of the Spanish Agency for Data Protection within a period of
month from the day after notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.
Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the
LPACAP, the firm resolution may be suspended in an administrative way
If the interested party expresses his intention to file a contentious appeal-
administrative. If this is the case, the interested party must formally communicate this
made by writing to the Spanish Agency for Data Protection,
Presenting it through the Electronic Registry of the Agency
[https://sedeagpd.gob.es/sede-electronica-web/], or through any of the rest
records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. Too
must forward to the Agency the documentation that proves the effective filing
of the contentious-administrative appeal. If the Agency is not aware of the
filing of the contentious-administrative appeal within a period of two months from the
day after the notification of this resolution, I would terminate the
precautionary suspension.
Mar Spain Martí
Director of the Spanish Agency for Data Protection
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
