El León Espanol – €10,000 Fine (Spain, 2024)

A data subject filed several complaints with the Spanish DPA (Agencia – AEPD) against specific users of Twitter as well as a newspaper, the controller. The Twitter users had posted a video in which the data subject is clearly recognisable. After its publication on Twitter, the video went viral. The controller had published the video as part of an article on its website. The data subject stated that the video had been created for work purposes for the launch of a social media challenge. On the 9 September 2022, the AEPD started preliminary proceedings against the controller. In response, the controller submitted a statement showing that it had deleted the video from its website. The controller argued that the focus of the article was to analyse the popularity and implications of the trend rather than assessing the data subject’s personal or private life. It further argued that in its role as a media provider it was required to inform on current relevant events. It also highlighted that other media outlets had also shared the video. In addition, the controller brought forward that it had merely included a nickname of the data subject in the article, which had been manifestly made public through the trend. On the 15 April 2024, the AEPD in its preliminary findings found that the controller had breached the data minimisation principle under Article 5(1)(c) GDPR and for this issued a fine of €10,000. The AEPD stated that anonymization techniques should have been implemented which would have blurred the image or distorted the voice of the data subject. In response to this, the controller again submitted that GDPR protections cannot reasonably be applied in this case due to press freedom. As the video of the data subject had gone viral before the controller published their article, the data subject was already a person in the public interest. The controller further submitted that the article could not be understood without showing the content of the video including the