AEPD - PS/00200/2019

From GDPRhub
AEPD - PS/00200/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Type: Complaint
Outcome: Upheld
Decided: n/a
Published: n/a
Fine: n/a
Parties: Owners association
National Case Number/Name: PS/00200/2019
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: Miguel Garrido de Vega

The Spanish Data Protection Agency (AEPD) decided to impose a warning on a Spanish owner association (the defendant), for the open publication of personal data related to the claimant in the notice board of the community, with the consequent infringement of the confidentiality principle, as per Article 5(1)(f) GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The decision is the consequence of a complaint submitted by a Spanish citizen stating that the defendant had openly published his/her personal data in the entrance of the garage of the community; the claimant also attached some pictures of notice board.

Dispute[edit | edit source]

The defendant answered to the AEPD investigation declaring that (1) the publication of such information was only addressed and available to the members of the community (and not to the general public), and that (2) it was strictly related to the interests of the community, as it referred to a court sentence on upcoming building works over common areas of the community that the claimant was not respecting. The defendant also added that, (1) as soon as it knew about the existence of this claim, the publication was immediately withdrawn, (2) a letter of apology was sent to the claimant, (3) internal safety protocols were reviewed and (4) instructions on the need to anonymously publish this kind of information has been included at the notice board. The AEPD started the corresponding sanction procedure.

Holding[edit | edit source]

The AEPD understood that the publication of the personal data of the claimant could breach the confidentiality principle, so, after considering some circumstances (the information was not only available to the members of the community, but also potentially to friends, family and third parties related to them that are no owners strictly), it imposed a warning to the defendant.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/5 Procedure No.: PS / 00200/2019938-300320RESOLUTION OF SANCTIONING PROCEDUREOf the procedure instructed by the Spanish Agency for Data Protection andbased on the followingBACKGROUNDFIRST: AAA (hereinafter, the claimant) dated 11/15/2018, filedclaim before the Spanish Agency for Data Protection against the COMMUNITYOF OWNERS RRR in *** ADDRESS.1 (hereinafter, the claimed one). Heclaimant filed in June 2018 a lawsuit against the defendant, which isHe transferred on 09/19/2018 and part of that demand, containing his personal datahas been exhibited in the accesses to the garages of the Community on 10/22/2018, inthe inside of a bulletin board.Provide two photographs. In one of them, seen further away, you can see a planklocked and glazed, containing two leaves, one next to the other. Next toa large cork board. In the closest shot you can see the two leaves, the firstIt is a document with the logo of a shield, “ cédula de emplacimiento ” and inthe other reads representation and defense, but the text is not well distinguished, appearingsome sections underlined with marker.SECOND: On 12/17/2018, the claim is transferred to the one claimed with theliteral:" In accordance with article 65.4 of Organic Law 3/2018, of 5/12, of Pro-protection of Personal Data and guarantee of digital rights (LOPDDGG),I forward the claim submitted to analyze said claim and communicatethat the claimant the decision adopted in this regard.Likewise, within one month from receipt of this letter, you mustprovide this Agency with the following information :"1 . Copy of the communications, of the adopted decision that has been sent to themaintain regarding the transfer of this claim, and accreditation that the claim-you have received the communication of that decision.2. Report on the causes that have motivated the incident that has originated the claim.mation.3. Report on the measures adopted to prevent incidents from occurring if-thousands.4. Any other that you consider relevant . "On 01/22/2019, the Administrator Secretary of the claimed party, namednothing GESTICAN ADMINISTRACIONES SL, states that the board where it was exposedpart of the sentence is located in a space with access only to owners of theproperty, not the general public, for this purpose and enabled for it.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 2
2/5The communication was for community interest, since the object affected ele-common mentions -In the General Meeting of owners of 03/12/2018, the claimant andThe rest of the community members adopt an agreement regarding the undertaking of works inthe covered areas of each of the blocks that make up the Residential. The-The mandate presented did not obey the agreements adopted and therefore the need wasaria and essential information for community members.THIRD: The claim was accepted for processing by the director of the AEPD on05/10/2018.FOURTH: On 11/11/2019 the Director agreed:" FIRST: INITIATE SANCTIONING PROCEDURE to the COMMUNITYOF RRR OWNERS , for the alleged infringement of article 5.1.f) of the RGPDin accordance with article 83.5 of the RGPD. "FIFTH : On 11/28/2019 allegations are received from CONSULTANCY AND FINCASCANARIAS, SL which indicates is the new administrator. In them she reiterates what was statedin the previous procedures, and adds that the exhibition took place in an access areaunique for the owners of the Community parking spaces -24 spaces-, thusas maintenance and cleaning staff. Consider that it has notmade a publication with open access to anyone outside theCommunity.The exhibition was withdrawn upon learning of the claim.As corrective measures, a letter was sent apologizing to the affected person,the data security breach was assessed, the protocols have been reviewed tocases of exposure of personal data and instructions forpost on the community board.Provide a copy of the treatment order contract with the claimed04/23/2019.Copy of letter addressed by ASESORÍA Y FINCAS CANARIAS to the claimantIn which the date does not appear, notifying him of the measures adopted.Copy of protocol for cases of exposure of personal dataposted on the community bulletin board, stating that not eventhose that can be identifiable and that would be anonymized and other issuesconnectedSIXTH: Proposal for resolution of the literal was issued:" That by the Director of the Spanish Agency for Data Protectionsanction with APPRECIATION to the COMMUNITY OF OWNERS RRR, withNIF *** NIF. 1 , for a violation of Article 5.1.f) of the RGPD, in relation to ArticleC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 3
3/55 of the LOPDGDD, as indicated in article 83.5 of the RGPD, and article 58.2.b)of the RGPD . "No allegations were received regarding the proposal.In view of all the actions, by the Spanish Protection Agencyof Data in this procedure the following are considered proven facts,ACTSone)On the occasion of the processing of a legal claim made by the claimantagainst the Community, it was transferred to the Community claimed by theCourt. The Community partially exhibited it on the closed boardbelonging to the Community. According to the photos provided by the claimant,they are two sheets on a closed board in which your data is contained.two)According to the complainant, the plank is located in an areaintended for the community garage, although it should be noted that it is not ruled out thatchildren, relatives, friends of the owners can pass through said area, without ruling outtenants or cleaning and maintenance staff of said community. Personsthat in any case they would not form each and every one part of the Board of owners, thatIt is made up of all the owners of the properties, with tasks of acollective governing body, the only ones that, in general, would be responsible for knowingmatters related to the Community.3)The defendant stated that she removed the exposed sheets on the board and hasadopted measures that include a protocol not to expose data of characterstaff on the board, unless the legal requirements and with authorizationmanager's express.FOUNDATIONS OF LAWIBy virtue of the powers that article 58.2 of the RGPD recognizes to eachcontrol authority, and as established in arts. 47 and 48.1 of the LOPDGDD, theDirector of the Spanish Data Protection Agency is competent to resolvethis procedure.IIArticle 5.1.f) of the RGPD provides:" The personal data will be:“Treated in such a way as to guarantee adequate data securitypersonal, including protection against unauthorized or illegal processing and againstits loss, destruction or accidental damage, through the application of measuresappropriate technical or organizational ("integrity and confidentiality"). "C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 4
4/5The LOPDGDD states in its article 5:" 1. Those responsible and in charge of data processing as well as allpeople who intervene in any phase of this will be subject to the duty ofconfidentiality referred to in article 5.1.f) of Regulation (EU) 2016/679 . "Although the size of the claimed Community is unknown, foreseeably,In the Community's vehicle parking area, not only will theowners, their relatives would access, but also any person authorized bythese, as friends, or there could be places rented from non-residents, staff ofmaintenance, etc. that is, third parties outside the owner relationship may circulate,which is the one that marks the group to which these matters can be made known.It is not guaranteed that exclusively the owners are the ones whothird parties unrelated to the data access said transit space as a common areahave been able to view the data and the matter in question, not being a spacesuitable for communicating news to the owners of the Community.The complained party is responsible for the management and processing of the data of theowners and in this case it is proven that it exposes the data to the knowledge of notonly owners, but not owners, and the filing of a lawsuit for acommoner against the community is up to the parties, not third parties.IIIArticle 83.5 a) of the RGPD, considers that the infringement of “the basic principlescosts for the treatment, including the conditions for consent under theArticles 5, 6, 7 and 9 ”is punishable, in accordance with section 5 of the aforementioned article.Article 83 of the aforementioned Regulation, with administrative fines of € 20,000,000 asmaximum or, in the case of a company, an amount equivalent to a maximum of 4%total annual turnover of the previous financial year, opting-I know for the highest amount . "Article 58.2 b) of the RGPD indicates the possibility of sanctioning withwarning, and section 2 d) establishes that each supervisory authority may“ Order the person in charge of the treatment that the operations oftreatment comply with the provisions of this Regulation, whenproceed, in a certain way and within a specified period … ”. TheThe imposition of this last measure is compatible with the sanction consisting ofawareness.Therefore, in accordance with the legislation,the Director of the Spanish Agency for Data Protection RESOLVES:FIRST: IMPOSE a sanction of APPEARANCE to the COMMUNITY OFOWNERS RRR , with NIF *** NIF.1 , for a violation of Article 5.1.f) of theRGPD, in accordance with Articles 83.5 and 58.2.d) of the RGPD.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 5
5/5SECOND: NOTIFY this resolution to the COMMUNITY OF OWNERSRRR, through its representative, ASESORÍA Y FINCAS CANARIAS, SLTHIRD: In accordance with the provisions of article 50 of the LOPDGDD, theThis Resolution will be made public once it has been notified to the interested parties.Against this resolution, which puts an end to the administrative procedure in accordance with art.48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of theLPACAP, the interested parties may optionally file an appeal for reversalbefore the Director of the Spanish Agency for Data Protection within a period ofmonth from the day after notification of this resolution or directlycontentious-administrative appeal before the Contentious-Administrative Chamber of theNational High Court, in accordance with the provisions of article 25 and section 5 ofthe fourth additional provision of Law 29/1998, of July 13, regulating theContentious-administrative jurisdiction, within a period of two months from theday following notification of this act, as provided in article 46.1 of thereferred Law.Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of theLPACAP, the final resolution may be suspended in an administrative wayIf the interested party expresses his intention to file a contentious appeal-administrative. If this is the case, the interested party must formally communicate thismade by writing to the Spanish Agency for Data Protection,Presenting it through the Electronic Registry of the Agency[https://sedeagpd.gob.es/sede-electronica-web/], or through any of the restrecords provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. Toomust forward to the Agency the documentation that proves the effective filingof the contentious-administrative appeal. If the Agency is not aware of thefiling of the contentious-administrative appeal within a period of two months from theday after the notification of this resolution, would terminate theprecautionary suspension.
Mar España Martí
Director of the Spanish Agency for Data Protection