AEPD - PS/00335/2019
|AEPD - PS/00335/2019|
|Relevant Law:||Article 6(1)(a) GDPR|
|National Case Number/Name:||PS/00335/2019|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
The AEPD fined an individual for taking pictures at the beach without the consent of the data subjects.
The data processor took pictures of women at the beach. The pictures allowed an identification of the concerned women. The police filed a respective claim with the AEPD on July 9, 2019.
Whether the taking of pictures in public without the consent of the data subjects infringes Article 6 (1) (a) GDPR.
The AEPD fined the data processor in an amount of 4,000 Euro for the violation of Article 6 (1) (a) GDPR. Since the women on the pictures can be identified, a consent was required for capturing the pictures. The fact that the women were in public does not harm their right of privacy. The opposite, the facts that the women were mainly not aware of the pictures and the pictures are quite sensitive make the strengthen of the privacy rights necessary. The intention of using the pictures on the phone and the denunciation of “sexual touching” in a public area were further taking into account for the fine.
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
Procedure No.: PS / 00335/2019 938-051119 RESOLUTION OF PENALTY PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on the following ACTS FIRST: CITY COUNCIL OF *** LOCALITY. 1 - LOCAL POLICE (* hereinafter, the claimant) on July 9, 2019, filed a claim with the Agency Spanish Data Protection, motivated by the data processing carried out at through cameras of a video surveillance system whose owner is identified as AAA with NIF *** NIF.1 (* hereinafter the claimed) installed in the claimed Mobile. The reasons on which the claim is based are “capturing photographs of women in the beach area near the *** *** RIVER.1 ”for sexual purposes. Along with the claim, he provides documentary evidence (Annex I) that proves the capturing the images of bathers without their consent, as they are in the mobile device hard drive. The frames provided allow the bathers to be identified, all of them teenagers, who are enjoying a day at the beach, all of them in bathing suits and from various angles without ever being aware of being being photographed / recorded by a third party unrelated to them. Photograph nº1. Girl strolling along the beach strolling, sharp front shot. Photograph nº2. Girl with her back walking on the beach. Photograph nº3. Girl sitting on poyete looking at her mobile. Photograph nº4. Girl running in a swimsuit by the beach area. Photograph nº5. Girl in sitting leisure pose. SECOND : In view of the facts reported, in accordance with the evidence available, the Data Inspection of this Spanish Agency for the Protection of Data considers that the processing of personal data carried out by the announced through the cameras to which the complaint refers, does not comply with the decisions imposed by the data protection regulations, so the opening of this sanctioning procedure. THIRD: On October 4, 2019 , the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure for the claimed party, with glo to the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the Pro- Common Administrative assignment of Public Administrations (hereinafter, LPA- CAP), for the alleged violation of Article 6.1.a) of the RGPD, typified in Article 83.5 of the RGPD. FOURTH: Once the aforementioned initial agreement has been notified, the defendant submitted a written allegations in which, in summary, it stated that the people photographed were his “cousins” that the State Security Forces and Corps did not leave him explain in any way. FIFTH: On 11/28/19 the procedure instructor agreed to open a practice period of tests, taking into account the previous actions of investigation, E / 08045/2019. Specifically, he was asked to provide reliable evidence that accredited the relationship of kinship that he used in his defense brief, leaving the same to prove such extreme. SIXTH: A list of documents in the procedure, reminding the defendant that if required, he has full access to the administrative file. SEVENTH: On 07/01/19 a resolution proposal is issued, where they are given by proven the facts transferred to this body, to be accredited the "Data processing" of third parties without the informed consent of their owners, outside the cases allowed by the Laws, proposing a sanction of 4000 € for the infringement of the content of art. 6.1 RGPD. FUNDAMENTALS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authori- control, and as established in art. 47 of Organic Law 3/2018, of 5 of December, on Personal Data Protection and guarantee of digital rights (in hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection is competent to initiate and resolve this procedure. II In the present case, we proceed to examine the claim dated 07/09/2019 after- Ladada by the City of Valladolid (Local Police) through which it is put In the knowledge of this Agency, the "capture of photographs of bathers" without their feeling with a sexual purpose. Article 6.1 RGPD provides the following: “The treatment will only be lawful if it meets at least one of the following conditions. a) The interested party gave their consent for the processing of their personal data- them for one or more specific purposes. (…) ” The images (personal data) are obtained by the accused surreptitiously, that is, without the consent of those affected, who were outsiders in all moment to the recording of your image. Article 18 EC provides “The right to honor, to personal privacy is guaranteed sonal and familiar and to the image itself ”. The Constitutional Court (STC 292/2000, November 30) BOE no. 4 of January 4, 2001) has declared that art. 18.4 CE contains, in the terms of the STC 254/1993, an institute guaranteeing the rights to privacy and honor and the full enjoyment of the remaining rights of citizens, which, in addition, is itself mo "a fundamental right or liberty, the right to liberty against potential assaults on the dignity and liberty of the person resulting from illegitimate use of mechanized data processing, what the Constitution calls 'computing' ", what which has been called "computer freedom" (FJ 6, reiterated later in the SSTC 143/1994, FJ 7, 11/1998, FJ 4, 94/1998, FJ 6, 202/1999, FJ 2). "This fundamental right to data protection, unlike the right to the privacy of art. 18.1 CE, with whom it shares the objective of offering an effective pro- constitutional provision of personal and family private life, attributes to its owner a beam of powers consisting for the most part of the legal power to impose on third parties the performance or omission of certain behaviors whose specific regulations tion must establish the Law, that which according to art. 18.4 CE Must Limit Use of computing, well developing the fundamental right to data protection (art. 81.1 CE), well regulating its exercise (art. 53.1 CE). The peculiarity of this right fundamental right to data protection with respect to that fundamental right so akin to that of intimacy lies, then, in its different function, what consequently, that their object and content also differ ” (* the underline belongs to this AEPD). As the Supreme Court has stated, the right to self-image is a personality right, recognized as a fundamental right in art. 18.1 of the Constitution and as an autonomous fundamental right by the Constitutional Court, and that, in its negative or exclusive facet, it grants the power to prevent obtaining, reproduction or publication of your own image by a third party without the consent express of the holder. It is this sense The Judgment of the Supreme Court of May 28, 2007 recognizes that: “The protection of the right to the image ex art. 7.5 of LO 1/1982 extends to the cases in which the photograph is captured on a beach or in another public place, without consent of the photographed person ”. The fact that the images are obtained in a public space does not imply "Elimination" of the subjective right and the renunciation of freedom in leisure spaces, thus as well as the activities that are carried out in these spaces according to the nature of the same (eg sunbathing, bathing, walking or even topless, etc). It is not unusual in today's times, when practically all citizens have mobile devices, to obtain images of spaces public, which are subsequently disseminated either on social networks or transmitted between individuals through messaging systems (vgr. whatsapp). In the present case, the photographs obtained are not the result of chance, but there is an active conduct of the accused in following his potential victims. but furtively, so that without their consent they obtain images of the same while they carry out activities according to the nature of this type of spaces (eg pa- searching, sunbathing, showering, etc.). The ease of obtaining a photograph with this type of device does not admits discussion, having assumed in practice, that anyone can become in a graphic “reporter” of facts and news in real time. The foregoing, however, cannot imply an elimination for practical purposes. of the right to the image, so that we can be recorded by anyone without our consent in public spaces that we go to for leisure purposes, rest, enjoyment, recreation, etc. In most cases the victims of these attacks on privacy are women or adolescents, who are affected at the core of their intimacy, restricting their freedom, being the object of photographs in swimming trunks, bikini, etc. with a lascivious purpose in some cases or mockery, unwarranted criticism, joke etc in others. Therefore, it is necessary to strengthen the protection of image processing as personal data, to fight against the dangers derived from an invasive use of new technologies, which among other things facilitate the taking of images without that the person affected can realize this, as well as its dissemination to wide audience members. III Article 6.1 of the RGPD (Legality of treatment) establishes the assumptions cretos under which the treatment of the personal data of the interested. In this case, from the documentation in the procedure, it is extracted that the accused has used his mobile device to obtain clear images of adolescent swimmers in a public area, without the express “consent” of them with a lewd a priori purpose. The images obtained are not accidental, because the documentary evidence contributed by the acting force (Annex I) allow verifying a follow-up of the affected, there being a clear intention to obtain images of them, to later enjoy these, for no apparent reason or reason. Article 77 section 5 of Law 39/2015 (October 1) provides as follows: "The documents formalized by the officials who recognize the condition of authority and in which, observing the corresponding legal requirements, take the facts found by those will prove these unless proven the contrary. " The above supposes a behavior of “treatment” without the consent of the holders. of the data, which are affected in their right to the image, which is affected This type of behavior, which is carried out in a furtive manner, without the but they know that they are being recorded by a third party unrelated to them. Furthermore, the images are stored in the memory of the device mobile position, which in its case would allow the non-consensual diffusion of the same in relation rights, hindering the protection of the affected right that could be the object of disclosure on a larger scale, aggravating the illegality of the act. IV The Supreme Court (Judgments of April 16 and 22, 1991) considers that the ele- point of guilt it follows “that the act or omission, described as infringement administratively punishable, must be, in any case, attributable to its author, for intent or recklessness, negligence or inexcusable ignorance . ” The Supreme Court (Judgments of July 5, 1998 and March 2, 1999) has been understanding that recklessness exists whenever a legal duty is neglected of care, that is, when the offending subject does not behave with the required diligence ble. Diligence whose degree of demand will be determined in attention to the circumstances concurrent companies in each case, such as the special value of the protected legal asset or the professionalism required of the offender. In this sense, the aforementioned Judgment of 5 June 1998 requires professionals in the sector “ a duty to know especially the applicable norms ”. Applying the previous doctrine, the National Court requires the entities that operate in the data market, special diligence when carrying out the use or work treatment of such data or the transfer to third parties. And this because being the protection of data a fundamental right (Judgment of the Constitutional Court 292/2000), the custodians of this data must be especially diligent and careful when operate with them and they must always opt for the most favorable interpretation to the protection tion of the legal assets protected by the standard. In this sense, among others, Sen- Tences of the National Court dated February 14 and September 20, 2002 and April 13 and May 18, 2005). The mere commission of an administrative offense — objective type — is not sufficient time to proceed to impose an administrative sanction. Guilt as reprehensibility to the active subject for injury to the property protected legal, is evident when the subject voluntarily performs the typical conduct intentionally aimed at obtaining the unlawful result, which is sought and loved Therefore, willful or negligent conduct must be involved, whether gross negligence or mild or simple, depending on the degree of neglect. In accordance with the evidence obtained in this sanctioning procedure dor, it is considered proven that the accused has proceeded to record on his device mobile images of bathers without their consent sneaking, proceeding to "Process personal data" of these without your consent. The known facts are constitutive of an infraction, attributable to the claim mado , for violation of art. 6.1 RGPD, without any of the circumstances reflected in it, to "process the data", even less the consent of the affected unaware of the described behavior. Article 83.5 RGPD provides the following: “Violations of the provisions- Subsequent measures will be sanctioned, in accordance with section 2, with administrative fines you go for a maximum of 20,000,000 EUR or, in the case of a company, a quantity equivalent to a maximum of 4% of the total global annual turnover for the year. previous financial year, opting for the largest amount: a) the basic principles for treatment, including conditions for consent pursuant to articles 5, 6, 7 and 9; (…). When motivating the sanction, the following criteria are taken into account: -The fact of obtaining images (personal data) without consent- of the holders, thereby affecting a constitutionally recognized right (art. 83.2 a) RGPD). -the intention of using the images for lewd purposes, making a improper use of your mobile device where you store them (art. 83.2 b RGPD). - the transfer of the facts by the State Security Forces and Corps- c, when required by the citizenry to denounce the presence of a real man using “sexual touching” in a public area and obtained images of third parties without your consent (art. 83.2h) RGPD). For all this, an encrypted sanction is imposed in the amount of € 4,000 (Four Thousand Euros) for infringement of the content of art. 6.1 RGPD, when “treating third-party data ros ”by obtaining photographs, without the consent of the mos (as), with a clear intention far from normal use. For the accused, no coherent explanation has been offered, and even less even provided objective evidence to corroborate what was stated in his brief tions. Consequently, the allegations of the accused must be rejected, be confirmed the concurrence of criminality and guilt in their offending conduct- ra. Therefore, in accordance with the applicable legislation and the criteria of graduation of sanctions whose existence has been proven, the Director of the Spanish Agency for Data Protection RESOLVES: FIRST: TO IMPOSE Don AAA , with NIF *** NIF.1 , for a violation of the article 6.1.a) of the RGPD, typified in article 83.5 of the RGPD, a fine of € 4,000 (Four Thousand Euros), having treated third party data without your consent, infringement typified in article 83.5 a) RGPD, being punishable in accordance with art. 58.2 RGPD. SECOND: NOTIFY this resolution to Don AAA THIRD: Warn the sanctioned that they must make effective the sanction imposed a once this resolution is executive, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, of the Administrative Procedure Common of Public Administrations (hereinafter LPACAP), within the payment period volunteer established in art. 68 of the General Collection Regulation, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, December 17, by entering, indicating the NIF of the sanctioned and the number of procedure that appears in the heading of this document, in the account restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency Spanish Data Protection at Banco CAIXABANK, SA Otherwise, will be collected in the executive period. Notification received and once executive, if the date of enforcement is finds between the 1st and 15th of each month, both inclusive, the deadline to carry out the Voluntary payment will be until the 20th of the following month or the next business day, and if is between the 16th and last day of each month, both inclusive, the term of the Payment will be until the 5th of the second following month or immediately following business. V In accordance with the provisions of article 50 of the LOPDGDD, the This Resolution will be made public once the interested parties have been notified. Against this resolution, which ends the administrative procedure pursuant to art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, interested parties may file, optionally, appeal for reversal before the Director of the Spanish Agency for Data Protection within one month from the day after notification of this resolution or directly administrative contentious appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within two months from day after notification of this act, as provided in article 46.1 of the referred Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, the firm resolution may be provisionally suspended in administrative proceedings if the interested party expresses his intention to file a contentious appeal- administrative. If this is the case, the interested party must formally communicate this made by writing addressed to the Spanish Agency for Data Protection, presenting it through the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the rest records provided in art. 16.4 of the aforementioned Law 39/2015, of October 1. Too You must transfer to the Agency the documentation that proves the effective filing of the contentious-administrative appeal. If the Agency had no knowledge of the filing of the contentious-administrative appeal within two months from the day after notification of this resolution, would terminate the precautionary suspension. Director of the Spanish Agency for Data Protection