Financial Crime World

Spanish Data Protection Authority Imposes €5,000 Fine for GDPR Violations in Blackmail Case

The Spanish Data Protection Authority (AEPD) upheld a complaint against a 16-year-old teenager for using personal data obtained via WhatsApp to blackmail a 13-year-old minor. The authority imposed a €5,000 fine and ordered the deletion of related data.

Background

  • The teenager and the 13-year-old were in contact through Instagram and WhatsApp.
  • The data subject sent intimate images to the teenager, who used them to threaten and blackmail the child.
  • The Juvenile Court sentenced the teenager for criminal threats.

Alleged GDPR Violations

  • The Spanish DPA started investigative proceedings focusing on a possible violation of GDPR’s Article 6(1) regarding consent and lawful processing.
  • The unauthorized and unlawful processing of the data subject’s personal data and void consent were at issue.

Fundamental Rights & Procedure

  • The claimant argued the constitutional principle of non bis in idem as the teenager had already been penalized for criminal threats.
  • The DPA stated that there was not a material similarity between the administrative and criminal proceedings, and they addressed the GDPR application.
  • The DPA mentioned that the mere collection, storage, and registration of the data subject’s images and videos were considered processing of personal data under Article 4(2).
  • They also highlighted that without a legally obtained valid consent, the processing could not be based on Article 6(1)(a).

Sanctions & Aggravating Circumstances

  • The DPA applied two aggravating circumstances detailed in Article 83(2) GDPR based on the nature, scope, and purpose of the processing and the level of damages to the data subjects.
  • They also applied an aggravating circumstance from Article 76(2)(a) of the Spanish Organic Law of 3/2018 due to the victim being a minor.
  • The principles of proportionality, individualization of sanctions, and the defendant’s testimony regarding the deletion of the images and videos led to a fine of €5,000.

Responsibility of Parents

  • Minors over 14 years old can be administratively sanctioned for violations of data protection laws in Spain.
  • Their parents become indirectly responsible for the payment as outlined in the Spanish Data Protection Agency’s brochure.

Implications

This case highlights the importance of data protection in the digital age, the applicability of GDPR to such cases, and the powers granted to data protection agencies to enforce violations.