AEPD - PS/00151/2020

From GDPRhub
AEPD - PS/00151/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(c) GDPR
Article 13 GDPR
Type: Complaint
Outcome: Upheld
Decided:
Published: 14.04.2021
Fine: 3000 EUR
Parties: n/a
National Case Number/Name: PS/00151/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA (AEPD) fined a landlord €3000 for violating Articles 5(1)(c) and 13 GDPR in relation to a video surveillance system in an apartment building.

English Summary[edit | edit source]

Facts[edit | edit source]

The defendant had installed a video surveillance system composed of four cameras in the building where he/she owns three apartments (of which two used for tourism activity), without asking for permission of the other people living in the building. These four cameras recorded data of personal character that had been incorporated into some type of computer file managed by the defendant. No information about the video surveillance was displayed in the building, leaving therefore the data subjects without notice. The surveillance system recorded every person passing without limitations.

Dispute[edit | edit source]

Was the system put in place violating the principle of data minimization and the obligation to give information to the data subjects as per articles 5 and 13 GDPR?

Holding[edit | edit source]

The Spanish DPA considered that the surveillance system installed was violating the minimization principle: the fact that some of the apartments in the building are dedicated to tourist activities does not legitimize the recording of the common areas, unless by agreement of the board of owners. The DPA imposed therefore a fine of €2000 for violation of Article 5(1)(c) GDPR.

Regarding the obligation to provide information to the data subjects, as there is no informational poster that informs the people affected about the data processing, the identity of the controller and the possibility of exercising their rights, there is a clear breach of the duty of information as per article 13 GDPR. The DPA imposed thus a fine of €1000 for violating Article 13 GDPR.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                1/10








     Procedure No.: PS / 00151/2020

                RESOLUTION OF SANCTIONING PROCEDURE


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following

                                  BACKGROUND



FIRST: URBAN GUÀRDIA OF THE CITY COUNCIL OF FIGUERES (hereinafter,
the claimant) on October 2, 2019 filed a claim with the Agency
Spanish Data Protection. The claim is directed against A.A.A. with NIF
*** NIF. 1 (hereinafter, the claimed one). The reasons on which the claim is based, in its

Spanish translation, are the following:

“[…] On July 26, 2019 at 6:00 p.m., the agents of the Guardia Urbana de
Figueres with *** TIP.1 and *** TIP.2 in non-uniformed service go to the
*** ADDRESS. 1 to check what activity is carried out in this property due to

complaints from various residents of the area regarding constant entrances and exits of
different people and noises that disturb your rest.

Agents identify three people who reside on the first floor for rent:


a) A.A.A. calling himself B.B.B. […]

The agents warned that both at the entrance door of the property on the
interior as in each door of the floors 1º, 2º and 3º there were cameras of
video recording in operation. There was no informational poster […].


[…]

[…] It is clear that the property on the second and third floors is in the name of. A.A.A. […].

On 09/17/2019 […] Sergeant *** TIP.3 and agent *** TIP.4 went to the

property and verified that Mr. A.A.A. Y
They confirmed that it had the second and third floors on a tourist rental basis
[…].

[…]


Agents *** TIP.3 and *** TIP.4 in this inspection verified that indeed
there was a security camera working just enter the door of the
building and another on the doors of the 1st, 2nd and 3rd floors.

When questioned, A.A.A. confirmed to the agents that she had a video recorder in her

address and that he had them installed for security due to his rental activity
bedrooms. […]. There is also no authorization from the community of owners
in a board agreement that would allow this person to manage this system of
safety.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/10









Considering the facts, it can be seen that these 4 cameras have recorded data from

personal character (one or several elements of the physical, physiological identity)
[…] And they have been incorporated into some type of computer file of a video recorder that
manages A.A.A. how are the faces of both different identified people and
the 4 acting agents […]. "


Along with the claim, provide the following documents:

1. Simple note of the property registry of the three floors that make up the
property.


2. Contract model used by the person in charge of renting the 2nd and 3rd floors.

3. Photographs of the exterior of the property and of the 4 cameras installed inside the
east (entrance, 1st, 2nd and 3 floors).


4. Model contract used by the claimed for tourist rental.

SECOND: Prior to the admission for processing of this claim, the
Subdirectorate General for Data Inspection sent the respondent a request for
information on November 4, 2019, which was notified on November 12,

2019. In the absence of a reply, the request for information was reiterated on
February 2020, the notification of which took place on February 27, 2020. No
received reply

THIRD: The Director of the Spanish Protection Agency agreed to admit

process the claim on June 1, 2020.

FOURTH: On November 3, 2020, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure to the claimed, by the
alleged infringements of articles 5.1.c) and 13 of Regulation (EU) 2016/679

(General Data Protection Regulation, hereinafter RGPD), typified in the
Article 83.5 of the same rule.

FIFTH: The commencement agreement was notified on November 13, 2020, the claimed
has not submitted a brief of allegations, so what is indicated in the

Article 64 of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, which in its section f) establishes that in case
of not making allegations within the term provided on the content of the agreement of
initiation, it may be considered a resolution proposal when it contains a
precise pronouncement about the responsibility imputed, for which it proceeds

to issue Resolution.


In view of all the actions, by the Spanish Agency for Data Protection
In the present proceeding, the following are considered proven facts,





C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/10








                                        FACTS


FIRST: In accordance with the Act of complaint raised by the Guàrdia Urbana de
Figueres on September 17, 2019 and the attached photographic report, the
claimed has installed a video surveillance system in the property located in
*** ADDRESS.1 composed of 4 cameras located in the portal and 1st, 2nd and 3rd floors.


1. The camera located in the portal is installed on top of a
side wall focusing on the access door to the building.

2. The camera located on the first floor is installed on a wall of the
landing.


3. The second floor camera is located above the door.

4. No photograph of the camera installed on the third floor is attached. According to
Act complaint, would be located above the door as well.


SECOND: There is no authorization from the community of owners for the installation
of the system and it does not have an informational poster.

THIRD: The defendant resides as a tenant on the 1st floor and in accordance with the

Simple notes from the Property Registry attached to the complaint, is the owner of
the flats located on the 2nd and 3rd floors of the property.

FOURTH: The defendant develops an economic activity consisting of renting
of the 2nd and 3rd floors of the building under the tourist accommodation regime.


FIFTH: The defendant declares to the agents that he has installed the cameras for
security reasons related to your room rental activity and that
has a video recorder at home.



                            FOUNDATIONS OF LAW

                                             I


By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in arts. 47 and 48.1 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights
(hereinafter, LOPDGDD), the Director of the Spanish Agency for Data Protection
is competent to solve this procedure.


                                             II

The defendant is charged, on the one hand, with the commission of an offense for violation
of article 5.1.c) of the RGPD that personal data will be “adequate, pertinent and

limited to what is necessary in relation to the purposes for which they are processed
("Data minimization"). "


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/10








Likewise, the defendant is charged with committing another offense for violation of the
Article 13 of the RGPD, which establishes that:


"1. When personal data relating to him are obtained from an interested party, the
responsible for the treatment, at the time these are obtained, will provide
all the information indicated below:

a) the identity and contact details of the person in charge and, where appropriate, of their
representative;


b) the contact details of the data protection officer, if applicable;

c) the purposes of the treatment to which the personal data are destined and the legal basis
of the treatment;


d) when the treatment is based on article 6, paragraph 1, letter f), the interests
legitimate rights of the person in charge or of a third party;

e) the recipients or categories of recipients of personal data, in their
case;


f) where appropriate, the intention of the person responsible to transfer personal data to a third party
country or international organization and the existence or absence of a decision of
adequacy of the Commission, or, in the case of transfers indicated in the
Articles 46 or 47 or Article 49, paragraph 1, second subparagraph, reference to the

adequate or appropriate warranties and the means to obtain a copy of these or
to the fact that they have been borrowed.

2. In addition to the information mentioned in section 1, the person responsible for the
treatment will facilitate the interested party, at the time the data is obtained

personal information, the following information necessary to guarantee data processing
loyal and transparent:

a) the period during which the personal data will be kept or, when it is not
possible, the criteria used to determine this deadline;


b) the existence of the right to request the data controller for access to the
personal data relating to the interested party, and its rectification or deletion, or the limitation
of its treatment, or to oppose the treatment, as well as the right to portability
of the data;


c) when the treatment is based on article 6, paragraph 1, letter a), or article
9, paragraph 2, letter a), the existence of the right to withdraw consent in
at any time, without affecting the legality of the treatment based on the
consent prior to its withdrawal;


d) the right to file a claim with a supervisory authority;

e) if the communication of personal data is a legal or contractual requirement, or a
necessary requirement to sign a contract, and if the interested party is obliged to provide

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/10








personal data and is informed of the possible consequences of not
provide such data;


f) the existence of automated decisions, including profiling, to be
referred to in article 22, paragraphs 1 and 4, and, at least in such cases, information
significant on the applied logic, as well as the importance and consequences
provided for said treatment for the interested party.

3.When the data controller plans the further processing of data

personal data for a purpose other than that for which they were collected, will provide the
interested party, prior to said further processing, information on that other purpose
and any additional relevant information pursuant to section 2.

4.The provisions of paragraphs 1, 2 and 3 shall not apply when and in the

to the extent that the interested party already has the information. "

The aforementioned infractions are classified in article 83.5 of the RGPD, which
provides the following:

"Violations of the following provisions will be sanctioned, in accordance with the

paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:


a) the basic principles for the treatment, including the conditions for the treatment
consent in accordance with articles 5, 6, 7 and 9;

b) the rights of the interested parties in accordance with articles 12 to 22 […] "


For the purposes of the statute of limitations for offenses, both offenses are
considered very serious and prescribe after three years, in accordance with article 72.1 of the
LOPDGDD, which establishes that:

"Based on what is established in article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that suppose

a substantial violation of the articles mentioned therein and, in particular, the
following:

a) The processing of personal data violating the principles and guarantees
established in article 5 of Regulation (EU) 2016/679. […]


h) The omission of the duty to inform the affected party about the processing of their data
personal in accordance with the provisions of articles 13 and 14 of Regulation (EU)
2016/679 and 12 of this Organic Law. […] "


                                            III

Article 22 of the LOPDGDD, relative to "Treatments for video surveillance purposes"
establishes in section 1 that: “Individuals or legal entities, public or private,

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/10








may carry out image processing through camera systems or
video cameras in order to preserve the safety of people and property,
as well as its facilities ”. This treatment, which is legitimized in the cause of

fulfillment of a mission public interest public interest included in the article
6.1.e) of the RGPD, must comply with the principles set forth in article 5 of the
cited European standard.

One of these principles is that of data minimization (article 5.1.c), which establishes the
The need for the data to be processed to be the minimum necessary to carry out

carry out the purpose pursued by the person in charge. In this way, the cameras
installed will only be able to capture images of public roads to the extent that they are
essential and will avoid affecting the legal sphere of rights of third parties
people without just cause, so it will not be possible to obtain images of spaces
public areas or areas for private use of third parties without the concurrence of the aforementioned

just cause.

On the other hand, individuals who use this type of device are responsible
that these comply with current legislation, having to comply, when the property
It is under the community of owners regime, with the requirements
established in Law 49/1960, of July 21, on horizontal property (LPH). A) Yes,

the installation of a video surveillance system by an individual will require
authorization of the board of the community of owners both when its
location in a common area such as when, even installed in an area of use
private, orient yourself to surrounding common areas and capture - respecting in any case
the principle of data minimization — tangentially common areas.


As regards the joint assessment of factual elements in the
sanctioning procedure, it is necessary to indicate in advance that, in accordance with
with article 77.5 of the LPACAP, “The documents formalized by the civil servants
to which the status of authority is recognized and in which, observing the

corresponding legal requirements the facts verified by those
they will make proof of these unless the opposite is accredited ”. Therefore, since there is no
presented the claimed no evidence to the contrary, they must be fully understood
proven, for the purposes of this proceeding, the facts established and
documented by the agents of the Guàrdia Urbana de Figueres in their complaint report
of September 17, 2019.


Taking into account the above, the proven facts show that the
The complainant has installed a video surveillance system - alleging reasons of
security related to the tourist accommodation business that you run— in areas
common areas of the building, such as the portal and the landings of the floors. The system like this

installed violates the principle of data minimization in that the cameras in
operation capture areas that exceed those that would be covered by the
mentioned security purpose. The fact that some real estate in the building
are dedicated to tourist rental does not legitimize that the common areas are captured, to
Unless by agreement of the board of the community of owners the

installation of a video surveillance system in order to guarantee the safety of the
edifice.

                                           IV

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/10









The RGPD enshrines as another of its fundamental principles that of transparency in
relationship with stakeholders. As one of its manifestations, Article 13 of the

RGPD —in compliance with the duty of information contained in the preceding article
12 of the same legal text - regulates the information to be provided when the
personal data is obtained from the interested party, a situation that occurs in
cases in which images are captured by a video surveillance system. In this
In this sense, article 22.4 of the LOPDGDD establishes that “The duty of information
provided for in Article 12 of Regulation (EU) 2016/679 shall be deemed to have been fulfilled

by placing an information device in a sufficiently visible place
identifying, at least, the existence of the treatment, the identity of the person in charge and the
possibility of exercising the rights provided in articles 15 to 22 of the Regulation
(EU) 2016/679. An information code may also be included in the information device.
connection or internet address to this information ”.


Regarding this issue, the facts proven in the present proceeding also
They allow to prove that the claimed person, as the person responsible for the treatment carried out
through a video surveillance system, has breached the aforementioned duty of
information, as there is no informational poster that informs those affected that
the data processing of your image, the identity of the

responsible or the possibility of exercising their rights in this regard.

                                            V

The corrective powers available to the Spanish Agency for the Protection of

Data, as a control authority, are established in article 58.2 of the RGPD. Between
they have the power to sanction with warning -article 58.2 b) -, the
Power to impose an administrative fine in accordance with article 83 of the RGPD
-article 58.2 i) -, or the power to order the person in charge of the treatment
that the processing operations comply with the provisions of the RGPD, when

proceed, in a certain way and within a specified period - article 58. 2
d) -.

According to the provisions of article 83.2 of the RGPD, the measure provided for in article 58.2
d) of the aforementioned Regulation is compatible with the sanction consisting of a fine
administrative.


                                           SAW

In accordance with the provisions of the RGPD in its art. 83.2, when deciding to impose a
administrative fine and its amount in each individual case will take into account the

aggravating and mitigating factors that are listed in the indicated article, as well as
any other that may be applicable to the circumstances of the case.

For the purposes of setting the sanction to be imposed on the claimed party, the
aggravating circumstance of intent or negligence in the offense (article

83.2.b) of the RGPD), since the complainant has not shown the minimum diligence
enforceable from the owner of a business in compliance with the applicable regulations in
data protection matters.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/10








Likewise, mitigating circumstance has been taken into account that the claimed is a
Physical person.


Based on the foregoing, a fine of two thousand euros (€ 2,000.00) should be imposed for
the violation of article 5.1.c) of the RGPD and one thousand euros (€ 1,000.00) for the violation of the
Article 13 of the RGPD, resulting in a total of three thousand euros (€ 3,000.00).


On the other hand, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD,
according to which each supervisory authority may 'order the person in charge or in charge
of the treatment that the treatment operations conform to the provisions of the
this Regulation, where appropriate, in a certain way and within a
specified term […] ”, the person in charge must prove, within a period of (1) month, the

following extremes:

 Having proceeded to remove the camera located in the portal of the building.

 Having proceeded to remove the cameras located on the 1st, 2nd and 3rd floors of the

property or its reorientation towards private areas.

 In the event that the installation of a camera that complies with the
principle of data minimization, having proceeded to the placement of the device

informative in the video-monitored areas or to complete the information offered in the
itself (at least the existence of a treatment, the identity of the
responsible and the possibility of exercising the rights provided for in said precepts),
placing this device in a sufficiently visible place. Likewise, you must prove
that keeps at the disposal of those affected all the information referred to in the

GDPR.

It is noted that not meeting the requirements of this body may be
considered as an administrative offense in accordance with the provisions of the RGPD,
classified as an offense in its articles 83.5 and 83.6, being able to motivate such conduct the

opening of a subsequent administrative sanctioning procedure.


Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of the sanctions whose existence has been accredited, the Director of the

Spanish Agency for Data Protection RESOLVES:


FIRST: IMPOSE A.A.A., with NIF *** NIF.1,


 For an infringement of article 5.1.c) of the RGPD, typified in article 83.5 of the
mentioned rule, a fine of TWO THOUSAND EUROS (€ 2,000.00).

 For an infringement of article 13 of the RGPD, typified in article 83.5 of the aforementioned

norm, a fine of THOUSAND EUROS (€ 1,000.00)

The total of the fines amounts to THREE THOUSAND EUROS (€ 3,000.00)



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/10








SECOND: ORDER A.A.A., with NIF *** NIF.1, which certifies, within the maximum term
of ONE MONTH from the notification of this resolution, the following points:


 Having proceeded to remove the camera located in the portal of the building.

 Having proceeded to remove the cameras located on the 1st, 2nd and 3rd floors of the
property or its reorientation towards private areas.


 In the event that the installation of a camera that complies with the
principle of data minimization, having proceeded to the placement of the device
informative in the video-monitored areas or to complete the information offered in the
itself (at least the existence of a treatment, the identity of the
responsible and the possibility of exercising the rights provided for in said precepts),

placing this device in a sufficiently visible place. Likewise, you must prove
that keeps at the disposal of those affected all the information referred to in the
GDPR.

THIRD: NOTIFY this resolution to A.A.A. and inform the claimant.


FOURTH: Warn the sanctioned person that the sanction imposed by a
Once this resolution is enforceable, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), within the payment period

voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number
procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency
Spanish Data Protection in the banking entity CAIXABANK, S.A .. In case

Otherwise, it will be collected in the executive period.

Received the notification and once executive, if the date of execution is found
Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment
volunteer will be until the 20th of the following or immediately subsequent business month, and if

between the 16th and the last day of each month, both inclusive, the payment term
It will be until the 5th of the second following or immediate business month.


In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the

Director of the Spanish Agency for Data Protection within a month to
counting from the day after the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/10









Contentious-administrative jurisdiction, within two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.


Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through

writing addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web /], or through any of the other records provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the

documentation that proves the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.



                                                                                      938-131120
Mar Spain Martí
Director of the Spanish Agency for Data Protection






































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es