The AEPD has sanctioned several of those well-known Spanish companies (eInforma, Axesor, etc.) that market access to identification and contact data of companies, professionals, and self-employed individuals, extracted from various sources such as the Commercial Registry or, as we have now learned, the Business Census of the Chambers of Commerce.

This is not the first time that an entire economic sector has torn its garments in outrage over the sanctioning of something that has been done since time immemorial.

And yet, if you are self-employed and do not have an office or premises, your “professional” address is your home and that of your family, and it is visible to everyone.

So, let's return to the question that titles this post:

Does a poor self-employed bastard have data protection rights?

The answer to this question has changed over time.

Before the GDPR, no.

After the GDPR, it became a bit more difficult to maintain that so-called mixed data (personal data of a natural person who also engages in an economic or business activity) fell outside the scope of the Spanish data protection regulation.

This makes sense: mixed data are legally accessible under several circumstances, and their use by third parties is subject to the application of legitimate interest and other such peculiarities that were not particularly popular during the era of consent supremacy.

So if you're not sure what to do, you consult the VAR and call offside.

You are reading ZERO PARTY DATA. The newsletter on current affairs, technopolies, and law by Jorge García Herrero and Darío López Rincón.

In the few spare moments this newsletter leaves us, we enjoy solving complex issues related to personal data protection. If you’ve got one of those, give us a little wave. Or contact us by email at jgh(at)jorgegarciaherrero.com.

We do not have further details about the sanction because it has not been published; we only have the notification sent by eInforma to its users stating that they will appeal, but that if nothing major happens, on November 30 they will delete all self-employed individuals' data from the service offered.

Notification from eInforma:

“Dear Client,

We would like to inform you that the main companies in the infomediary sector, which provide information on sole proprietors, have received a sanctioning resolution from the Spanish Data Protection Agency (AEPD) for infringement of Articles 6.1 and 14 of the GDPR.

This sanctioning procedure began in 2022 following a complaint filed by the organization Institut per la Cultura Democràtica a l'Era Digital Associació, without any individual complaint having been submitted by any affected sole proprietor.

In the same resolution, in addition to the financial penalty, we are ordered to cease processing and delete the data of sole proprietors obtained under the contract we have with Camerdata, until a legal basis as contemplated in Article 6.1 of the GDPR is established.

For this reason, and although the resolution is not yet final, we wish to inform all our clients in advance about the situation and the measures we are going to take at INFORMA.

As communicated by ASEDIE (Multisectoral Association of Information), maintaining accessible official public information sources is essential to guarantee transparency, legal certainty, and efficiency in commercial relations. For this reason, we will appeal the resolution, but we will also keep the door open for dialogue with the AEPD in an effort to find a solution to this change in the AEPD's stance that has led to the current situation.

In any case, if we do not receive new updates from the Chamber of Commerce register, on November 30 we will proceed to delete all self-employed individuals' information from our systems, and information on sole proprietors will no longer be available in any of our products.

We will keep you informed as relevant developments occur.

Yours sincerely”

Translation

Violation of Articles 6.1 and 14 of the GDPR. That is:

6.1 – Processing of personal data without sufficient lawful basis: that is, something like this — the Chambers of Commerce obtain data on poor thing self-employed individuals from the Tax Agency to create the public business census. And that’s mandated by law, fair enough.

But the law does not require (nor expressly authorize) selling that data to eInforma so that it can, in turn, resell it.

14 – Obtaining such data from a source other than the data subjects (Camerdata) without informing them of what you intend to do, where you got their data from, or (where applicable) offering the right to object to the processing… even though what you're marketing is precisely the data that would allow you to do that.

Bad, very bad.

Background of the same issue

This has happened many times before.

Equifax got slapped with a one-million-euro fine (it could have been nine million — that was the originally proposed penalty) for this very same issue.

I detailed it thoroughly here.

The same idea — attempting to sanctify any data processing involving “freely accessible” data, effectively elevating publicly accessible sources to the level of a seventh lawful basis for processing personal data — was the main reason for the AEPD’s rejection of the Code of Conduct proposed by ASEDIE, the infomedia sector lobby… in which Equifax is one of the main players.

In its opinion, the AEPD dismantled the idea of indiscriminate access to and use of data from “publicly accessible sources,” case by case, in regard to several specific examples — particularly the most commonly used ones (data from official publications such as public servant appointments, grants, subsidies, data from public registries, land registry, public sanction boards, Social Security notices and edicts, public insolvency registry, Industrial Property Gazette, electoral rolls from chambers of commerce, registries of licensed professionals…).

It was also a bombshell within the sector—though little discussed outside of it—the opinion directed at Industrial Property Agents. Industrial Property Agents monitor the Industrial Property Official Gazette, and when a patent application is published that resembles a registered one, they bombard the holder of the latter with offers to challenge the new application and similar services.

The question:

“The inquiry essentially raises the question of whether industrial property agents may use the data of individuals published in the Official Industrial Property Bulletin (BOPI) to contact them for the purpose of "promoting their activity"—that is, whether they may offer their services to such individuals. As stated, the inquiry clearly pertains to individuals with whom there has been no prior client relationship, since the objective is to promote their services in order to attract new clients.”

AEPD answered:

“In fact, the use of personal data whose publication is mandated by law in the official industrial property bulletins would be for a purpose different from that for which the data was initially collected. Therefore, in order to determine whether processing for this new purpose is compatible, reference must be made to Article 6.4 of the GDPR, interpreted in light of Recital (47) of the GDPR. This recital establishes that, for such compatibility to exist, there must be a relevant and appropriate relationship between the data subject and the data controller, such as in situations where the data subject is a client receiving services from the controller.

However, as mentioned at the outset, no such relationship exists in this case between the controller and the data subject whose data has been published in the BOPI. As such, the data subject cannot reasonably foresee, at the time and in the context in which the personal data is collected, that it may be processed for such a purpose. In other words, as stated in Recital 47, the data subject’s interests and fundamental rights should override the controller’s interests where the data subject does not reasonably expect further processing.

Moreover, in this case, since the publication of personal data in the official industrial property bulletins is legally mandated and independent of the data subject's will or consent—which they cannot refuse—it is understood that the data subject’s rights, freedoms, and interests prevail over the controller’s legitimate interest. Consequently, in this instance, there is no overriding legitimate interest of the controller over the data subject’s rights that would justify the intended processing of personal data.”

“It could have been avoided”

How?

Strictly speaking, by taking a closer look at the whole legitimate interest issue, or at the secondary data processing mechanisms.

Or in a much bolder and more buccaneering manner—but, up to now, absurdly tolerated by the AEPD:

Someone might think that, had eInforma come up with the MARVELOUS IDEA of sending spam (unsolicited electronic commercial communications) to all those shady and rebellious self-employed individuals, the move could have turned out much cheaper for them (although, mind you, the amount of the sanction is still unknown).

Because, incredibly, it seems that when the LSSI is violated through the sending of commercial communications, the AEPD applies only the (comparatively) lenient penalties provided under that law, without addressing how or where the hell the data used for those mailings came from… in other words, ignoring the GDPR violation, which is far more serious both qualitatively and quantitatively.

I explained all this (and counter-argued, half incredulous, half outraged) here.

Jorge García Herrero

Lawyer and DPO

Compartir Zero Party Data

Deja un comentario