AEPD - PS/00292/2019

From GDPRhub
AEPD - PS/00292/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(a) GDPR
Article 6(1)(b) GDPR
Article 83(2)(b) GDPR
Article 83(2)(g) GDPR
Article 83(5)(a) GDPR
Type: Complaint
Outcome: Upheld
Decided: n/a
Published: 10. 2.2020
Fine: 1.000 €
Parties: Anoymous Vs. Anonymous
National Case Number/Name: PS/00292/2019
European Case Law Identifier: n/a
Appeal: {{{Appeal_To_Status}}}
[[:Category:{{{Appeal_To_Body}}}|{{{Appeal_To_Body}}}]]
[[{{{Appeal_To_Link}}}|{{{Appeal_To_Case_Number_Name}}}]]
Original Language(s): Spanish
Original Source: AEPD (in es)
Initial Contributor: {{{Initial_Contributor}}}

The AEPD imposed a 1.000 € fine for a false advertisement containing personal data in a website aimed at offering services for adults, without the consent of the data subject.

English Summary[edit | edit source]

Facts[edit | edit source]

A website containing aimed at offering services for adults published the picture, name, telephone number and a sexual related description of a citizen – the complainant - as a contact person for the performance of these services without her consent. Following the publication of her personal data on the website, the complainant received unsolicited phone calls from people who wished to have sex with her. The complainant pointed out that the pictures published had been obtained from her work intranet with an external IP address. Thus, she filed a complaint with the AEPD against the IP address' owner which added her personal data to the website. Therefore, she complained that the advertiser who created the false ad unlawfully processed her personal data and did not sue the service provider which removed the publication immediately.

Dispute[edit | edit source]

The AEPD had to pronounce itself on the legal basis of the processing of personal data – the consent or the performance of a contract – and had to decide which circumstances should be takne into account for the administrative fine.

Holding[edit | edit source]

The AEPD stated that it was clear from the procedure that the advertiser added a false ad on the web portal, containing the personal data of the complainant without her consent. Thus, the AEPD ruled that the personal data published on the website were not necessary for the performance of the contract between the advertiser and the website. Therefore, it has been concluded that the advertiser violated Articles 5(1)(a) and 6(1)(b) GDPR.

In addition, the AEPD decided to impose a fine of 1.000 € in accordance with Article 83(5)(a) GDPR by taking into consideration that the action was intentional (Article 83(2)(b) GDPR), and that the personal data are sensitive (Article 83(2)(g) GDPR).

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the **Spanish** original. Please refer to the **Spanish** original for more details.

to be completed