AEPD (Spain) - EXP202209001: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS/00695/2022 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00695-2022.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Cod...")
 
No edit summary
Line 65: Line 65:
}}
}}


The Spanish DPA fined €600 for installing security cameras that focused beyond the private property of the controller's, violating Article 5(1)(c) and 13 GDPR.
The Spanish DPA fined €600 for installing security cameras that focused beyond the private property of the controller's, violating [[Article 5 GDPR|Article 5(1)(c)]] and [[Article 13 GDPR|13 GDPR]].


== English Summary ==
== English Summary ==
Line 79: Line 79:
The Spanish DPA considered that the data controller had a camera system in place that was poorly oriented and deficient in terms of information signs. It was concluded that the information signs had irregularities, since it did not have an effective address to which any person can address himself.
The Spanish DPA considered that the data controller had a camera system in place that was poorly oriented and deficient in terms of information signs. It was concluded that the information signs had irregularities, since it did not have an effective address to which any person can address himself.


The Spanish DPA fined €600 the controller for installing security cameras that focused beyond his private property, violating Article 5(1)(c) and 13 GDPR.
The Spanish DPA fined €600 the controller for installing security cameras that focused beyond his private property, violating [[Article 5 GDPR|Article 5(1)(c)]] and [[Article 13 GDPR|13 GDPR.]]


AEPD determined the removal of the cameras in question or the reorientation of the cameras, in accordance with current legislation, so that they do not record or capture images of the data subject's private space. In addition, the controller must include an informative sign in accordance with the regulations.
AEPD determined the removal of the cameras in question or the reorientation of the cameras, in accordance with current legislation, so that they do not record or capture images of the data subject's private space. In addition, the controller must include an informative sign in accordance with the regulations.

Revision as of 10:36, 3 October 2023

AEPD - PS/00695/2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(c) GDPR
Article 13 GDPR
Article 83(5)(a) GDPR
Article 83(5)(b) GDPR
Type: Complaint
Outcome: Upheld
Started: 01.08.2022
Decided: 29.09.2023
Published: 29.09.2023
Fine: 600 EUR
Parties: n/a
National Case Number/Name: PS/00695/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Mgrd

The Spanish DPA fined €600 for installing security cameras that focused beyond the private property of the controller's, violating Article 5(1)(c) and 13 GDPR.

English Summary

Facts

On 1st of August 2022, the data subject submitted a complaint against a neighbor since he had installed a video surveillance camera on his property facing the data subject’s property, more specifically at the swimming pool, without being authorized to do so.

Holding

The Spanish DPA considered that the data subject provided a photograph without date and time and, based on this, it was impossible to specify which was her private area on a location plan. Also, AEPD considered that the allegations were insufficient as they do not provide a proper "screen print" of what is being captured by the data controller or the specific orientation of the camera.

AEPD highlighted that individuals can install cameras, but only on their own private property and it must be oriented towards his own private property.

The Spanish DPA considered that the data controller had a camera system in place that was poorly oriented and deficient in terms of information signs. It was concluded that the information signs had irregularities, since it did not have an effective address to which any person can address himself.

The Spanish DPA fined €600 the controller for installing security cameras that focused beyond his private property, violating Article 5(1)(c) and 13 GDPR.

AEPD determined the removal of the cameras in question or the reorientation of the cameras, in accordance with current legislation, so that they do not record or capture images of the data subject's private space. In addition, the controller must include an informative sign in accordance with the regulations.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/7










     File No.: EXP202209001



                RESOLUTION OF SANCTIONING PROCEDURE

From the procedure instructed by the Spanish Data Protection Agency and based
to the following


                                   BACKGROUND

FIRST: A.A.A. (*hereinafter, the complaining party) dated August 1, 2022
filed a claim with the Spanish Data Protection Agency. The claim-

tion is directed against who it identifies as B.B.B. with NIF ***NIF.1 (hereinafter, the
claimed party). The reasons on which the claim is based are the following:

       “(…) the claimed party, a neighbor of the property adjacent to that of the claiming party,
has installed a video surveillance camera on his property aimed at the party's property
claimant, more specifically to his swimming pool, without having authorization to do so”-fo-

lio no. 1-.

Provides images of the location of the camera and the affected area (Document Annex).
mental I).


SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was transferred to the claimed party in faith.
cha 01/09/22, so that it could proceed with its analysis and inform this Agency on the
period of one month, of the actions carried out to adapt to the anticipated requirements.

cough in data protection regulations.

       The transfer, which was carried out in accordance with the rules established in the Law
39/2015, of October 1, of the Common Administrative Procedure of the Administrations
Publications (hereinafter, LPACAP), was collected in a timely manner as stated.
in the acknowledgment of receipt in the file.


THIRD: On November 1, 2022, in accordance with article 65 of
the LOPDGDD, the claim presented by the complaining party was admitted for processing,
considering the arguments initially put forward insufficient.


FOURTH: On February 22, 2023, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against the claimed party,
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1,
of the Common Administrative Procedure of Public Administrations (hereinafter
te, LPACAP), for the alleged violation of Article 5.1.c) of the RGPD, typified in the

Article 83.5 of the GDPR.




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/7








FIFTH: On 01/02/23, a response was received from the defendant presenting evidence.
documentary evidence in relation to the events subject to transfer, as well as “response declaration”.
responsible” for this purpose.


       Documentary evidence is provided (photograph 1) that proves the presence of the poster
informative, without proving where it is installed, limiting itself to expressing what is
next “C.C.C.” in the section intended for <Responsible>.

SIXTH: On 04/26/23 <Proposal for resolution> is issued in which it is proposed

a penalty estimated in the amount of 600 euros (€300+€300), when having a
poorly oriented video surveillance device affecting the private area of a third party, with
deficient signage, being notified in a timely manner to the management of the
claimed, resulting in <Absent> at destination, although leaving a notice in the mailbox.
post office as accredited by the State Post and Telegraph Society.


       On 07/05/23 the <Proposal> was published in the BOE
notification to the defendant's home has been unsuccessful.

Of the actions carried out in this procedure and the documentation
recorded in the file, the following have been accredited:


                                 PROVEN FACTS

First: The facts give rise to the claim dated 08/01/22 through the
which is transferred to this organization the following:


       “(…) the claimed party, a neighbor of the property adjacent to that of the claiming party,
has installed a video surveillance camera on his property aimed at the party's property
claimant, more specifically to his swimming pool, without having authorization to do so”-fo-
lio no. 1--.


Second: B.B.B. is identified as the main responsible party, with NIF ***NIF.1.

Third: It is clear that the defendant has an information sign, although it is
just put “C.C.C.” being insufficient in order to comply with the requirements of the regulations.
is in force.


Fourth: No screen print (date and time) has been provided of what is captured in
your case with the device installed, nor has the cause of the
installation to this organization.


                            FOUNDATIONS OF LAW

                                            Yo

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (Re-

General Data Protection Regulation, hereinafter RGPD), grants each authorization
control and in accordance with the provisions of articles 47, 48.1, 64.2 and 68.1 of the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/7








digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve
this procedure the Director of the Spanish Data Protection Agency.


Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed
ted by the Spanish Data Protection Agency will be governed by the provisions of
Regulation (EU) 2016/679, in this organic law, by the regulatory provisions-
dictated in its development and, insofar as they do not contradict them, with a sub-
subsidiary, by the general rules on administrative procedures."


                                            II

In the present case, the claimant states that the “camera is oriented towards her
“private zone” providing a photograph without date and time, without being able to specify what its
private space on a location plan.


       Notwithstanding the above, it is considered that the allegations are insufficient.
cient by not providing a “screen impression” of what, in their case, is captured by the claim.
mada or the specific orientation of the camera.

       It is the freedom of the defendant to install the camera on his or her private property, although

It should preferably be oriented towards your private space or, arguably,
Briefly mention the reasons for your presence there.

       The content of article 5.1 letter c) is considered to be allegedly affected.
GDPR that provides: “Personal data will be:


       c) adequate, relevant and limited to what is necessary in relation to the purposes
for those who are processed ("data minimization");

It should be remembered that individuals are responsible for ensuring that the systems installed

felled comply with current legislation, proving that it complies with all
the requirements demanded by the regulations in force.

Article 72 section 1 letter a) establishes a limitation period of three years “the
infractions that involve a substantial violation of the articles mentioned in
that one and, in particular, the following:


       “a) The processing of personal data violating the principles and guarantees es-
established in article 5 of Regulation (EU) 2016/679.

                                            III


In the present case, the alleged “irregularities” are also examined.
of the informative poster, lacking an effective address to which anyone can go.
affected in the context of data protection.


       “The duty of information provided for in article 12 of the Regulation (EU)
2016/679 will be understood to be fulfilled through the placement of an information device.
in a sufficiently visible place identifying, at least, the existence of the treatment.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/7








to, the identity of the person responsible and the possibility of exercising the rights provided for in
Articles 15 to 22 of Regulation (EU) 2016/679.


A connection code or address may also be included in the information device.
tion of the Internet to this information” (*bold belongs to this organization)—art. 22
section 4 of the LOPDGDD--.

The facts described above affect the content of the article.
13 RGPD, lacking information sign(s) with an effective address to which

where appropriate, contact or indicate, where appropriate, the main person responsible for the processing of
the data.

 Article 13 GDPR “Information that must be provided when personal data
are obtained from the interested party."


1. When personal data relating to him or her is obtained from an interested party, the person responsible
treatment, at the time these are obtained, it will provide you with all the information
information indicated below: a) the identity and contact details of the person responsible
and, where appropriate, his representative; b) the contact details of the protection delegate
tion of data, if applicable; c) the purposes of the processing for which the personal data are intended.

sonales and the legal basis of the treatment (…).

Article 72 section 1 of the LOPDGDD (LO 3/2018, December 5) in relation to the plan-
Limitation period for very serious infractions “will expire after three years” and in
particularly the following:


       h) The omission of the duty to inform the affected person about the treatment of their
personal data in accordance with the provisions of articles 13 and 14 of the Regulation
(EU) 2016/679 and 12 of this organic law.


                                            IV

In accordance with the evidence available in this procedure
sanctioning party, it is considered that the claimed party has a camera system
video surveillance system that is poorly oriented and deficient in terms of signage
informative.


       The evidence initially provided by the defendant is insufficient and
prove that the criteria established in the regulations in question have not been taken into account.
force, nor what is set out in the Video Surveillance Guide of this organization, of free access
at the address www.aepd.es, where the requirements of the

informative signs and their location.

Whenever you are going to carry out a collection of images of people, you must
will inform of the existence of said video surveillance system through the placement
provision of an information sign that is sufficiently visible at the entrances

to the monitored areas, which will clearly indicate a series of data related to the
existence of the processing (video surveillance), if it constitutes a file, the identity of the
responsible for the treatment or video surveillance system and its management,
of the possibility of exercising the rights recognized in the Regulations on Protection

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/7








tion of Data (access, rectification, deletion, limitation of processing, portability,
opposition, and opposition to automated individual decisions) and where to get more
information on the processing of personal data.


       The known facts constitute an infringement, attributable to the party
claimed, for violation of the content of article 13 RGPD.

                                            V


The art. 83.5 GDPR provides the following: “Violation of the following provisions:
These will be sanctioned, in accordance with section 2, with administrative fines of 20
EUR 000 000 maximum or, in the case of a company, an amount equivalent to
to a maximum of 4% of the overall total annual turnover of the financial year.
above, opting for the highest amount:


       a) The basic principles for treatment, including the conditions for treatment
           consent in accordance with articles 5,6,7 and 9(…)
       b) the rights of the interested parties under articles 12 to 22 (..).

When motivating the sanction, it is taken into account that it is an individual, although

The initial response is considered insufficient in terms of the measures adopted, which
which denotes at least negligent conduct, imposing a penalty of 600 euros
(€300+€300), due to the irregularities in the information sign and the alleged poor orientation.
tion of the camera, affecting in principle articles 5.1 c) and 13 RGPD, sanction si-
tuated on the lower scale for this type of behavior based on the criteria of this

organism.

                                            SAW

The text of the resolution establishes what infractions have been committed and

the events that have given rise to the violation of the data protection regulations
cough, from which it is clearly inferred what measures to adopt, without prejudice to
that the type of procedures, mechanisms or specific instruments to implement
tarlas corresponds to the sanctioned party, since it is the person responsible for the treatment who
knows its organization fully and must decide, based on the responsibility
active and risk-focused, how to comply with the RGPD and the LOPDGDD.


It is warned that failure to comply with the possible order to adopt measures imposed by
this body in the sanctioning resolution may be considered as an infraction.
administrative action in accordance with the provisions of the RGPD, classified as an infraction in
its article 83.5 and 83.6, such conduct may motivate the opening of a subsequent procedure.

administrative sanctioning order.

       The claimed party must reliably prove that the camera is oriented
towards their private area (eg, providing a photograph with date and time) or providing
document that, if applicable, proves it (e.g. model of responsibility declaration).

ble, etc.) or make the necessary arguments to prove the legality of the
system in such a way that they are understandable to this Agency, without prejudice to
prove that the information signage is in accordance with the regulations in force.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/7








       Please remember that, in the event of payment of the penalty, you must also provide two
precise documentation of having adopted the necessary measures in relation to the cartel
informative, which will consist of a photograph (date and time) with the necessary modifications,

as well as a brief explanation of the visible place where it has been installed so that
be understandable by this body.

Therefore, in accordance with the applicable legislation and evaluated the graduation criteria
tion of sanctions whose existence has been proven,


the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: IMPOSE Ms. B.B.B., with NIF ***NIF.1, for a violation of the Article
5.1.c) and 13 of the RGPD, typified in Article 83.5 a) and b) of the RGPD, a fine of
€600.


SECOND: NOTIFY this resolution to B.B.B..

THIRD: ORDER to B.B.B., with NIF ***NIF.1, which by virtue of article 58.2.d)
of the RGPD, within a period of 15 business days, proves that it has proceeded to comply with
the following measures:


       -Completion of information poster in accordance with current regulations, providing
photograph with date and time for this purpose indicating the location of the sign due to
formed (e.g. indication of the person responsible, address for communication purposes)
tions, etc).


       -Remove and/or reorient the installed device in such a way that it can be con-
tate that it is not oriented towards the property of the claiming party, de-
Please provide a screen print with date and time for this purpose.


FOURTH: Warn the sanctioned person that he must make the sanction imposed effective
once this resolution is executive, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, of the Administrative Procedure
of the Public Administrations (hereinafter LPACAP), within the voluntary payment period.
lunary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,

of December 17, by entering it, indicating the NIF of the sanctioned person and the number
of procedure that appears in the heading of this document, in the account
restricted IBAN number: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code: CAIXES-
BBXXX), opened in the name of the Spanish Data Protection Agency in the entity
banking entity CAIXABANK, S.A.. Otherwise, it will be collected in

executive period.

Once the notification is received and once enforceable, if the enforceable date is
between the 1st and 15th of each month, both inclusive, the period to make the voluntary payment
voluntary will be until the 20th of the following month or immediately following business month, and if

falls between the 16th and last day of each month, both inclusive, the payment period is
until the 5th of the second following or immediately following business month.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/7








In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the inter-
rescheduled may optionally file an appeal for reconsideration before the Director

of the Spanish Data Protection Agency within a period of one month from
the day following notification of this resolution or directly contentious appeal
administrative before the Contentious-Administrative Chamber of the National Court,
in accordance with the provisions of article 25 and section 5 of the additional provision
final fourth of Law 29/1998, of July 13, regulating the Contentious Jurisdiction-

administrative, within a period of two months counting from the day following the notification.
tion of this act, as provided for in article 46.1 of the aforementioned Law.

Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,

may provisionally suspend the final resolution through administrative channels if the interested party
do expresses his intention to file a contentious-administrative appeal. If so-
If applicable, the interested party must formally communicate this fact in writing.
addressed to the Spanish Data Protection Agency, presenting it through the Re-
Electronic register of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or to

through one of the remaining records provided for in art. 16.4 of the aforementioned Law
39/2015, of October 1. You must also transfer the documentation to the Agency
that proves the effective filing of the contentious-administrative appeal. If the
Agency was not aware of the filing of the contentious-administrative appeal
treatment within a period of two months from the day following notification of this

resolution, would end the precautionary suspension.


                                                                                   938-010623
Sea Spain Martí
Director of the Spanish Data Protection Agency

























C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es