27 Sep 2022

Spanish Agency Confirms – GDPR Applies to All

In August, the Spanish Data Protection Agency (Agencia Española de Protección de Datos, hereinafter: “Agency“) fined an NN person the sum of EUR 1,500 for violating the norms stipulated by the GDPR (General Data Protection Regulation), through the illegal collection and processing of personal data using a video surveillance system.

(In the Decision issued by the Agency, the names of the parties involved were not disclosed, so the following terms will be used in the rest of this text: Injured party – person 1, Tortfeasor- person 2)

What happened?

The proceedings in front of the Agency were initiated by Person 1 against his ex-wife, Person 2 because Person 2 installed a video surveillance system aimed at the main entrance of the house, in the concrete part of the house Person 2 has the right-of-use.  Person 2 defended herself claiming she set the surveillance system up to have an insight into the events taking place at the part of the house she has the right of use.  However, it was determined that the camera captured photos of a zone in which Person 2 does not have the exclusive right of use.  What seemed at first glance like a classic dispute between ex-partners quickly escalated into something far more complicated – a violation of the right to privacy protected by the GDPR.

How did it happen?

Article 2 of the GDPR clearly states that this regulation does not apply to natural persons when they are processing personal data in the course of a purely personal or household activity, a fact which Person 2 did emphasize during the proceedings. However, after examining the facts, Agency determined that the video surveillance was not adequately aimed at the part of the house on which Person 2 has the right of use, but that it included a wider frame, and thus, unjustifiably, the individuals in that frame.  In this regard, the Agency has assessed that this is not a case of personal data processing for the above-mentioned reasons and that the GDPR is to be applied to this specific case. Since individuals are not allowed to install devices for obtaining images/videos from public spaces, it has been determined that Person 2, by installing the aforementioned camera, also compromised the right to privacy of third parties, not just Person 1.

According to the Agency, this kind of action constitutes a violation of Article 5, paragraph 1 point (c) of the GDPR, which stipulates, as one of the principles of personal data processing, that this action must be performed in a manner that is adequate, relevant and limited by the purpose of collecting the data (“minimalism criterion”).

Stating that this principle was not met by installing the controversial video surveillance, the Agency decided to fine Person 2 with a sum of EUR 1,500 as effective, proportionate, and dissuasive, and in accordance with Article 83 of the GDPR.

What does this mean?

Although it was adopted some time ago, the GDPR is still a hot topic, and every decision of the competent authorities regarding its application is closely watched.  The Spanish regulator’s decision is significant because it indicates the criteria that will be considered when deciding on the application of the GDPR to a specific case.  It also shows the determination of the competent authorities to ensure the protection of the right to privacy, as one of the basic human rights.  Thus, given the GDPR’s restrictive interpretation in favor of the defense of the right to privacy, GDPR applies even when processing is carried out by a natural person and for a non-commercial purpose.



Aurhor: Teodora Ristić