NANDIVALE, S.L. – €10,000 Fine (Spain, 2023)

The data subject was a 4 year old minor, who attended a birthday party at one of the establishments of the controller, Nandivale. The controller posted images showing the faces of children present at the party in the stories of its Instagram profile. After seeing the stories, the mother of the data sent an Instagram message to the controller, asking it to delete the image. However, the controller did not comply with the request and she filed a complaint with the Spanish DPA, claiming that she never gave her consent for the publication of her child's image. The DPA stressed that the physical image of a person must be considered as personal data under Article 4(1) GDPR, and thus, it requires a legal ground to be processed. The DPA also emphasized that, in addition to consent, there are other possible bases that legitimize the processing of data without the need for the authorization of the data subject. For instance, when it is necessary for the performance of a contract or for the satisfaction of legitimate interests pursued by the data controller or by a third party. In the present case, the DPA noted that the controller did not inform data subjects about the processing of personal data that it carried out, neither before nor after it took place. In other words, there was no information about the recording of images in parties organized at the controller's venur and their publication on its social media profile. The controller also did not inform if it relied on consent of the parents, in the case of minors under 14 years of age, or the consent of minors, over 14 years of age, differentiating this circumstance. Therefore,the DPA concluded that there was no accredited basis for the processing of minors' personal data and issued a fine of €10,000 for the violation of Article 6(1) GDPR.