Spain: AEPD fines community owners €500 for failing to implement appropriate security measures
The Spanish data protection authority ('AEPD') published, on 12 April 2022, its resolution in proceeding PS/00043/2021, in which it imposed a fine of €500 to community owners, for violations of Article 5(1)(f) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following receipt of a complaint.
Background to the case
In particular, the decision states that the Presidency of the Community of Owners had placed a list of debtors on three boards of the communities bulletin boards, including the claimant. Moreover, the decision provides that the location of the respective bulletin boards are inside the portals and that all the boards are locked but exposed to viewing by third parties outside of the community. Furthermore, the decision notes that the lists of owners of all the apartments (debtors and non-debtors) included names, surnames, and floor numbers.
Findings of the AEPD
Based on the foregoing, the decision emphasises that, in accordance with the evidence available, the community owners had violated Article 5(1)(f) of the GDPR for failing to implement appropriate security measures.
In addition, the decision considers that, among other things, any imposed sanction should be based on the following aggravating factors:
- non-existence of antecedents;
- remedying of the violation by the community owners through deleting all personal data on the bulletin board; and
- measures taken to mitigate damages and losses suffered. In particular, the administrator and the representative of the community had contacted the complainant to acknowledge the violations and to notify them that the actions taken were not in bad faith.
Consequently, the AEPD imposed on the community owners a penalty of €500 for the violation of Article 5(1)(f) of the GDPR.
You can read the decision, only available in Spanish, here.