Ajuntament de Tiana – Complaint Upheld (Spain, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Catalan data protection authority upheld a complaint against a city council for creating a WhatsApp group without proper consent or privacy information. Although they later added a privacy policy, the council failed to inform participants about their right to file a complaint. This case shows the importance of transparency and consent in group communications.
What happened
A city council created a WhatsApp group without obtaining explicit consent or providing full privacy information.
Who was affected
Participants in the WhatsApp group whose names, phone numbers, and profile pictures were visible.
What the authority found
The Catalan data protection authority found that the city council did not fully comply with GDPR's requirements for transparency and consent.
Why this matters
This ruling highlights the need for public entities to ensure transparency and proper consent in digital communications. It serves as a warning to organizations using messaging apps for public engagement to clearly inform users about data practices.
GDPR Articles Cited
A data subject filed a complaint with the Catalan DPA (APDCAT) reporting that a City Council had created a WhastApp group without gathering the explicit consent of the participants and without providing the information required by the GDPR; although two days later, a privacy policy was included in the description of the group. The claimant alleged that the telephone number, name and images of the participants were visible to all of them. The data subject had joined the group via a link that was shared through WhatsApp with a text that indicated that people would receive information related to the city council and that anyone could access the group through the following link if they wanted to join. The APDCAT verified that, when joining the group, the participants were offered information about the identity of the controller, the legal basis fro the processing, the data retention period, the possibility of exercising the data subject's rights, and a link to the city council's web, where one could exercise their rights or contact the DPO (although not about the possibility of filing a complaint with the APDCAT). This information was also included on the description of the group and on the information of the group. On the information of the group, the names, phone numbers and profile pictures of the participants could also be seen. The city council claimed that they were using as a legal basis Article 6(1)(e) GDPR, i.e. processing is necessary for the performance of a task carried out in the public interest, since [https://www.boe.es/buscar/act.php?id=BOE-A-1985-5392 Article 25 of the Law regulating the Bases of the Local Administration Regime (Ley reguladora de las Bases del Régimen Local - LBRL)], that allows city council to engage in institutional communication with their citizens. According to the city council, participants were informed that participants in the group could see names, phone numbers and profile pictures of other participants. However, the city coun
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Ajuntament de Tiana in ES
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Ajuntament de Tiana - Spain (2021). Retrieved from cookiefines.eu
Last updated: