Neighbourhood Community and WhatsApp Group. What does the AEPD say?
The AEPD has imposed a fine of 2,000 euros on a community of owners for disseminating personal data through the community’s WhatsApp group. The president of the community, published in a WhatsApp group a bank receipt of a neighbour where the name, surname, bank details and address appeared. All this was done without authorization.
Background and Fines for Non-Compliance with Privacy
The community of owners has been sanctioned based on two articles of the GDPR, article 5.1 f) for sharing a private conversation of the injured party:
“(…)f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (“integrity and confidentiality”) (…)”
and article 32 for the lack of implementation of appropriate technical and organizational measures:
“(…) Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing, as well as risks of varying likelihood and severity to the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, which in their case shall include, among others (…)”
The Spanish Data Protection Agency (AEPD) has established that access to community data by owners is not free, but must be duly justified. This means that only those people who do not hold the position of president will be able to access such information if there is a valid reason for it.
In this sense, the community of owners itself is responsible for the processing of the data that is carried out for its proper management and operation. As such, it corresponds to implement the necessary technical and organizational measures to guarantee that such treatment is adjusted to the provisions of the General Data Protection Regulation (GDPR).
Similar sanctions
However, this is not the first sanction imposed on a community of owners by the AEPD, since in 2022 the AEPD sanctioned a Community of Owners for the exposure of the Minutes of the last assembly they held in the elevators of the Community building.
In said Minutes, the attendees and representatives are identified by name, surname, floors and door, and in addition, the floor and door of the neighbours affected by a complaint that has been carried out due to works considered irregular by the Community are detailed.
Likewise, in 2020 another community of owners was sanctioned with 6,000 euros for requesting the neighbour’s ID to access the pool. The AEPD understood that the community exceeded the data processing, since, with noting the floor and letter, it would have been sufficient to identify the pool user.
How to Make Good Use of a WhatsApp Group
Neighbourhood communities are not exempt from complying with data protection regulations. To make use of these instant messaging applications, they must take into account the following points:
- Exclusive use for community matters: limit the use of the chat to topics related to community management, avoiding personal or irrelevant conversations.
- Respect and education: maintain a respectful and polite tone in communications, avoiding insults, disqualifications or inappropriate language.
- Data protection: do not share personal data of neighbours or confidential community information in the chat.
- Moderation: appoint a chat administrator or moderator to ensure compliance with the rules and avoid conflicts.
- Clear and concise communication: use clear and concise language in messages, avoiding long or confusing messages.
It is important to remember that the use of instant chats does not replace face-to-face meetings or official community communication channels.
If you belong to a community of owners and have any questions, do not hesitate to contact Letslaw.