A.A.A. – €2,000 Fine (Spain, 2022)

The data subject was a member of an a community of owners, the controller. They complained with the president of the community association about video recordings in which they appeared. Subsequently, the president shared these videos in a WhatsApp group with other neighbours. The data subject then filed a complaint with the Spanish DPA, claiming that the controller violated the principle of integrity and confidentiality while processing their personal data, in breach of Article 5(1)(f) GDPR. During the procedure, the controller alleged that it was an individual conduct of its president, so only the individual could be held liable, not the legal person. The DPA dismissed the controller's argument by stating that the community was acting as the controller as it jointly: a) approved the installation of the cameras, b) determined the purpose of the processing, and c) established the means to carry out said processing. It also stated that holding the president responsible individually was an issue to be carried out internally by the supervisory body of the community through mechanisms provided for in the Spanish Horizontal Property Law (HPL). Therefore, Article 5(1)(f) GDPR was considered violated by the community of owners as a whole and a fine according to Article 83(5) GDPR was imposed. When determining the amount, the DPA took the director’s individual action as well as the communal responsibility into account and issued a fine of €2,000 for the violation of Article 5(1)(f) GDPR as classified under Article 83(5) GDPR.