AEPD - PS/00335/2019

From GDPRhub
AEPD - PS/00335/2019
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1)(a) GDPR
Type: Complaint
Outcome: Upheld
Decided: 16.03.2020
Fine: 4,000 EUR
Parties: n/a
National Case Number/Name: PS/00335/2019
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The AEPD fined EUR 4,000 individual for taking pictures at the beach without the consent of the data subjects.

English Summary[edit | edit source]

Facts[edit | edit source]

The data processor took pictures of women at the beach. The pictures allowed an identification of the concerned women. The police filed a respective claim with the AEPD on July 9, 2019.

Dispute[edit | edit source]

Whether the taking of pictures in public without the consent of the data subjects infringes Article 6 (1) (a) GDPR.

Holding[edit | edit source]

The AEPD fined the data processor in an amount of 4,000 Euro for the violation of Article 6 (1) (a) GDPR. Since the women on the pictures can be identified, a consent was required for capturing the pictures. The fact that the women were in public does not harm their right of privacy. The opposite, the facts that the women were mainly not aware of the pictures and the pictures are quite sensitive make the strengthen of the privacy rights necessary. The intention of using the pictures on the phone and the denunciation of “sexual touching” in a public area were further taking into account for the fine.

Comment[edit | edit source]

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

Procedure No.: PS / 00335/2019 
Of the procedure instructed by the Spanish Agency for Data Protection and 
based on the following 
the claimant) on July 9, 2019, filed a claim with the Agency 
Spanish Data Protection, motivated by the data processing carried out at 
through cameras of a video surveillance system whose owner is identified as 
AAA with NIF *** NIF.1 (* hereinafter the claimed) installed in the claimed Mobile. 
The reasons on which the claim is based are “capturing photographs of women in 
the beach area near the *** *** RIVER.1 ”for sexual purposes. 
Along with the claim, he provides documentary evidence (Annex I) that proves the 
capturing the images of bathers without their consent, as they are in the 
mobile device hard drive. 
The frames provided allow the bathers to be identified, all of them 
teenagers, who are enjoying a day at the beach, all of them in bathing suits and 
from various angles without ever being aware of being 
being photographed / recorded by a third party unrelated to them. 
Photograph nº1. Girl strolling along the beach strolling, sharp front shot. 
Photograph nº2. Girl with her back walking on the beach. 
Photograph nº3. Girl sitting on poyete looking at her mobile. 
Photograph nº4. Girl running in a swimsuit by the beach area. 
Photograph nº5. Girl in sitting leisure pose. 
SECOND : In view of the facts reported, in accordance with the evidence 
available, the Data Inspection of this Spanish Agency for the Protection of 
Data considers that the processing of personal data carried out by the 
announced through the cameras to which the complaint refers, does not comply with the 
decisions imposed by the data protection regulations, so the 
opening of this sanctioning procedure. 
THIRD: On October 4, 2019 , the Director of the Spanish Agency for 
Data Protection agreed to initiate a sanctioning procedure for the claimed party, with 
glo to the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the Pro- 
Common Administrative assignment of Public Administrations (hereinafter, LPA- 
CAP), for the alleged violation of Article 6.1.a) of the RGPD, typified in Article 
83.5 of the RGPD. 
FOURTH: Once the aforementioned initial agreement has been notified, the defendant submitted a written 
allegations in which, in summary, it stated that the people photographed were 
his “cousins” that the State Security Forces and Corps did not leave him 
explain in any way. 
FIFTH: On 11/28/19 the procedure instructor agreed to open a 
practice period of tests, taking into account the previous actions 
of investigation, E / 08045/2019. 
Specifically, he was asked to provide reliable evidence that accredited 
the relationship of kinship that he used in his defense brief, leaving the 
same to prove such extreme. 
SIXTH: A list of documents in the 
procedure, reminding the defendant that if required, he has full access 
to the administrative file. 
SEVENTH: On 07/01/19 a resolution proposal is issued, where they are given by 
proven the facts transferred to this body, to be accredited the 
"Data processing" of third parties without the informed consent of their owners, 
outside the cases allowed by the Laws, proposing a sanction of 4000 € for the 
infringement of the content of art. 6.1 RGPD. 
By virtue of the powers that article 58.2 of the RGPD recognizes to each authori- 
control, and as established in art. 47 of Organic Law 3/2018, of 5 of 
December, on Personal Data Protection and guarantee of digital rights (in 
hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection 
is competent to initiate and resolve this procedure. 
In the present case, we proceed to examine the claim dated 07/09/2019 after- 
Ladada by the City of Valladolid (Local Police) through which it is put 
In the knowledge of this Agency, the "capture of photographs of bathers" without their 
feeling with a sexual purpose. 
Article 6.1 RGPD provides the following: “The treatment will only be lawful if it 
meets at least one of the following conditions. 
a) The interested party gave their consent for the processing of their personal data- 
them for one or more specific purposes. (…) ” 
The images (personal data) are obtained by the accused surreptitiously, 
that is, without the consent of those affected, who were outsiders in all 
moment to the recording of your image. 
Article 18 EC provides “The right to honor, to personal privacy is guaranteed 
sonal and familiar and to the image itself ”. 
The Constitutional Court (STC 292/2000, November 30) BOE no. 4 of 
January 4, 2001) has declared that art. 18.4 CE contains, in the terms of the 
STC 254/1993, an institute guaranteeing the rights to privacy and honor and the 
full enjoyment of the remaining rights of citizens, which, in addition, is itself 
mo "a fundamental right or liberty, the right to liberty against potential 
assaults on the dignity and liberty of the person resulting from illegitimate use 
of mechanized data processing, what the Constitution calls 'computing' ", what 
which has been called "computer freedom" (FJ 6, reiterated later in the 
SSTC 143/1994, FJ 7, 11/1998, FJ 4, 94/1998, FJ 6, 202/1999, FJ 2). 
"This fundamental right to data protection, unlike the right to 
the privacy of art. 18.1 CE, with whom it shares the objective of offering an effective pro- 
constitutional provision of personal and family private life, attributes to its owner a beam 
of powers consisting for the most part of the legal power to impose on third parties 
the performance or omission of certain behaviors whose specific regulations 
tion must establish the Law, that which according to art. 18.4 CE Must Limit Use 
of computing, well developing the fundamental right to data protection 
(art. 81.1 CE), well regulating its exercise (art. 53.1 CE). The peculiarity of this right 
fundamental right to data protection with respect to that fundamental right so 
akin to that of intimacy lies, then, in its different function, what 
consequently, that their object and content also differ ” (* the underline belongs to 
this AEPD). 
As the Supreme Court has stated, the right to self-image is a 
personality right, recognized as a fundamental right in art. 18.1 of 
the Constitution and as an autonomous fundamental right by the Constitutional Court, 
and that, in its negative or exclusive facet, it grants the power to prevent obtaining, 
reproduction or publication of your own image by a third party without the consent 
express of the holder. 
It is this sense The Judgment of the Supreme Court of May 28, 2007 recognizes 
that: “The protection of the right to the image ex art. 7.5 of LO 1/1982 extends to 
the cases in which the photograph is captured on a beach or in another public place, without 
consent of the photographed person ”. 
The fact that the images are obtained in a public space does not imply 
"Elimination" of the subjective right and the renunciation of freedom in leisure spaces, thus 
as well as the activities that are carried out in these spaces according to the nature of 
the same (eg sunbathing, bathing, walking or even topless, etc). 
It is not unusual in today's times, when practically all 
citizens have mobile devices, to obtain images of spaces 
public, which are subsequently disseminated either on social networks or transmitted 
between individuals through messaging systems (vgr. whatsapp). 
In the present case, the photographs obtained are not the result of chance, 
but there is an active conduct of the accused in following his potential victims. 
but furtively, so that without their consent they obtain images of the same 
while they carry out activities according to the nature of this type of spaces (eg pa- 
searching, sunbathing, showering, etc.). 
The ease of obtaining a photograph with this type of device does not 
admits discussion, having assumed in practice, that anyone can become 
in a graphic “reporter” of facts and news in real time. 
The foregoing, however, cannot imply an elimination for practical purposes. 
of the right to the image, so that we can be recorded by anyone without 
our consent in public spaces that we go to for leisure purposes, 
rest, enjoyment, recreation, etc. 
In most cases the victims of these attacks on privacy are 
women or adolescents, who are affected at the core of their intimacy, restricting 
their freedom, being the object of photographs in swimming trunks, bikini, etc. with a lascivious purpose 
in some cases or mockery, unwarranted criticism, joke etc in others. 
Therefore, it is necessary to strengthen the protection of image processing 
as personal data, to fight against the dangers derived from an invasive use of 
new technologies, which among other things facilitate the taking of images without 
that the person affected can realize this, as well as its dissemination to wide 
audience members. 
Article 6.1 of the RGPD (Legality of treatment) establishes the assumptions 
cretos under which the treatment of the personal data of the 
In this case, from the documentation in the procedure, it is extracted that 
the accused has used his mobile device to obtain clear images of 
adolescent swimmers in a public area, without the express “consent” 
of them with a lewd a priori purpose. 
The images obtained are not accidental, because the documentary evidence 
contributed by the acting force (Annex I) allow verifying a follow-up of the 
affected, there being a clear intention to obtain images of them, 
to later enjoy these, for no apparent reason or reason. 
Article 77 section 5 of Law 39/2015 (October 1) provides as follows: 
"The documents formalized by the officials who recognize the condition 
of authority and in which, observing the corresponding legal requirements, 
take the facts found by those will prove these unless proven 
the contrary. " 
The above supposes a behavior of “treatment” without the consent of the holders. 
of the data, which are affected in their right to the image, which is affected 
This type of behavior, which is carried out in a furtive manner, without the 
but they know that they are being recorded by a third party unrelated to them. 
Furthermore, the images are stored in the memory of the device 
mobile position, which in its case would allow the non-consensual diffusion of the same in relation 
rights, hindering the protection of the affected right that could be the object of 
disclosure on a larger scale, aggravating the illegality of the act. 
The Supreme Court (Judgments of April 16 and 22, 1991) considers that the ele- 
point of guilt it follows “that the act or omission, described as infringement 
administratively punishable, must be, in any case, attributable to its author, 
for intent or recklessness, negligence or inexcusable ignorance . ” 
The Supreme Court (Judgments of July 5, 1998 and March 2, 1999) 
has been understanding that recklessness exists whenever a legal duty is neglected 
of care, that is, when the offending subject does not behave with the required diligence 
ble. Diligence whose degree of demand will be determined in attention to the circumstances 
concurrent companies in each case, such as the special value of the protected legal asset 
or the professionalism required of the offender. In this sense, the aforementioned Judgment of 5 
June 1998 requires professionals in the sector “ a duty to know especially 
the applicable norms ”. 
Applying the previous doctrine, the National Court requires the entities that operate 
in the data market, special diligence when carrying out the use or work 
treatment of such data or the transfer to third parties. And this because being the protection 
of data a fundamental right (Judgment of the Constitutional Court 292/2000), the 
custodians of this data must be especially diligent and careful when 
operate with them and they must always opt for the most favorable interpretation to the protection 
tion of the legal assets protected by the standard. In this sense, among others, Sen- 
Tences of the National Court dated February 14 and September 20, 2002 
and April 13 and May 18, 2005). 
The mere commission of an administrative offense — objective type — is not sufficient 
time to proceed to impose an administrative sanction. 
Guilt as reprehensibility to the active subject for injury to the property 
protected legal, is evident when the subject voluntarily performs the 
typical conduct intentionally aimed at obtaining the unlawful result, which 
is sought and loved 
Therefore, willful or negligent conduct must be involved, whether gross negligence 
or mild or simple, depending on the degree of neglect. 
In accordance with the evidence obtained in this sanctioning procedure 
dor, it is considered proven that the accused has proceeded to record on his device 
mobile images of bathers without their consent sneaking, proceeding to 
"Process personal data" of these without your consent. 
The known facts are constitutive of an infraction, attributable to the claim 
mado , for violation of art. 6.1 RGPD, without any of the circumstances 
reflected in it, to "process the data", even less the consent of the 
affected unaware of the described behavior. 
Article 83.5 RGPD provides the following: “Violations of the provisions- 
Subsequent measures will be sanctioned, in accordance with section 2, with administrative fines 
you go for a maximum of 20,000,000 EUR or, in the case of a company, a quantity 
equivalent to a maximum of 4% of the total global annual turnover for the year. 
previous financial year, opting for the largest amount: 
a) the basic principles for treatment, including conditions for 
consent pursuant to articles 5, 6, 7 and 9; (…). 
When motivating the sanction, the following criteria are taken into account: 
-The fact of obtaining images (personal data) without consent- 
of the holders, thereby affecting a constitutionally recognized right 
(art. 83.2 a) RGPD). 
-the intention of using the images for lewd purposes, making a 
improper use of your mobile device where you store them (art. 83.2 b 
- the transfer of the facts by the State Security Forces and Corps- 
c, when required by the citizenry to denounce the presence of a real man 
using “sexual touching” in a public area and obtained images of third parties without 
your consent (art. 83.2h) RGPD). 
For all this, an encrypted sanction is imposed in the amount of € 4,000 (Four 
Thousand Euros) for infringement of the content of art. 6.1 RGPD, when “treating third-party data 
ros ”by obtaining photographs, without the consent of the 
mos (as), with a clear intention far from normal use. 
For the accused, no coherent explanation has been offered, and even less 
even provided objective evidence to corroborate what was stated in his brief 
Consequently, the allegations of the accused must be rejected, 
be confirmed the concurrence of criminality and guilt in their offending conduct- 
Therefore, in accordance with the applicable legislation and the criteria of 
graduation of sanctions whose existence has been proven, 
the Director of the Spanish Agency for Data Protection RESOLVES: 
FIRST: TO IMPOSE Don AAA , with NIF *** NIF.1 , for a violation of the article 
6.1.a) of the RGPD, typified in article 83.5 of the RGPD, a fine of € 4,000 (Four 
Thousand Euros), having treated third party data without your consent, infringement 
typified in article 83.5 a) RGPD, being punishable in accordance with art. 
58.2 RGPD. 
SECOND: NOTIFY this resolution to Don AAA 
THIRD: Warn the sanctioned that they must make effective the sanction imposed a 
once this resolution is executive, in accordance with the provisions of the 
art. 98.1.b) of Law 39/2015, of October 1, of the Administrative Procedure 
Common of Public Administrations (hereinafter LPACAP), within the payment period 
volunteer established in art. 68 of the General Collection Regulation, approved 
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, 
December 17, by entering, indicating the NIF of the sanctioned and the number 
of procedure that appears in the heading of this document, in the account 
restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency 
Spanish Data Protection at Banco CAIXABANK, SA Otherwise, 
will be collected in the executive period. 
Notification received and once executive, if the date of enforcement is 
finds between the 1st and 15th of each month, both inclusive, the deadline to carry out the 
Voluntary payment will be until the 20th of the following month or the next business day, and if is between the 16th and last day of each month, both inclusive, the term of the 
Payment will be until the 5th of the second following month or immediately following business. 
In accordance with the provisions of article 50 of the LOPDGDD, the 
This Resolution will be made public once the interested parties have been notified. 
Against this resolution, which ends the administrative procedure pursuant to art. 
48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the 
LPACAP, interested parties may file, optionally, appeal for reversal 
before the Director of the Spanish Agency for Data Protection within one 
month from the day after notification of this resolution or directly 
administrative contentious appeal before the Contentious-administrative Chamber of the 
National Court, in accordance with the provisions of article 25 and section 5 of 
the fourth additional provision of Law 29/1998, of July 13, regulating the 
Contentious-administrative jurisdiction, within two months from 
day after notification of this act, as provided in article 46.1 of the 
referred Law. 
Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the 
LPACAP, the firm resolution may be provisionally suspended in administrative proceedings 
if the interested party expresses his intention to file a contentious appeal- 
administrative. If this is the case, the interested party must formally communicate this 
made by writing addressed to the Spanish Agency for Data Protection, 
presenting it through the Electronic Registry of the Agency 
[], or through any of the rest 
records provided in art. 16.4 of the aforementioned Law 39/2015, of October 1. Too 
You must transfer to the Agency the documentation that proves the effective filing 
of the contentious-administrative appeal. If the Agency had no knowledge of the 
filing of the contentious-administrative appeal within two months from the 
day after notification of this resolution, would terminate the 
precautionary suspension. 
Director of the Spanish Agency for Data Protection