The Spanish personal data protection authority has recently fined a natural person with EUR 10,000.00 for publishing personal data of a third person without the latter’s consent on an online blog.
Acting upon a complaint of the person whose personal data were published, the respective authority established that the person against whom the subject complaint was filed published for a certain period on their online blog the name and video of the character, and otherwise implicitly indicated the personality of the complainant, which practice was not suspended even after the receipt of request from the complainant or court order.
The competent authority therefore held that, in this particular case, provision 6(1) of the GDPR was infringed, considering that personal data processing was conducted without consent and any other legal basis.
In order to determine the amount of fine, the authority considered several circumstances, in particular the nature and severity of the infringement, degree of damage done to the person whose data had been unfoundedly published and the fact that the person concerned was simultaneously accused of immoral and unlawful behaviour, as well as intentional character of the subject infringement.
Legal basis for personal data processing in domestic law
According to the provisions of Article 12 of the Law on Personal Data Protection (Off. Gazette of the RS no. 87/2018) (“the Law”), processing (of personal data) is only lawful providing that one of the following requirements is fulfilled:
- the data subject consented to processing of their personal data for one or more specifically designated purposes;
- processing is necessary for exercising the agreement concluded with the data subject or for undertaking the activities, upon the request of the data subject, prior to conclusion of the agreement;
- processing is necessary for the purpose of adhering to the legal obligations of the controller;
- processing is necessary for the purpose of protecting vital interests of the data subject or another natural person;
- processing is necessary for the purpose of performing the activities in public interest or executing the controller’s legally prescribed authorities;
- processing is necessary for the purpose of fulfilling legitimate interests of controller or a third party, unless such interests are prevailed by the interests or fundamental rights and freedoms of the data subjects which require personal data protection, notably if the data subject is a minor.
Consent as a basis for personal data processing
If processing is based on consent, the controller needs to be in capacity to prove that the data subject consented to the processing of their data.
If consent of the data subject is given within a written statement referring to other issues as well, the request for consent needs to be presented in such manner that it stands out from other issues, in eligible and easily accessible form, with the use of simple and clear expressions. The part of statement that is in contravention of the Law has no legal effect.
The data subject shall be entitled to withdraw the subject consent at any time. The withdrawal of consent shall not affect the admissibility of processing done on the basis of that consent prior to its withdrawal. Prior to giving the consent, the data subject needs to be informed about the right to withdrawal, as well as the effects of withdrawal. Withdrawal of consent needs to be simple alike the giving of consent.
When establishing whether the consent for personal data processing was freely given, one needs to particularly ensure that the enforcement of the agreement, including service rendering, is not conditioned by giving consent which is not necessary for its enforcement.
This article is to be considered as exclusively informative, with no intention to provide legal advice. If you should need additional information, please contact us directly.