The fine imposed on a property agency for exposing images of minors has highlighted the importance of protecting the rights of minors.

An individual filed a complaint with the Spanish Data Protection Agency, with the aim of highlighting the violation of the rights of his minor children.

Publication of images of minors

The sanctioned property agency contacted the owner of the property concerned, with the supposed aim of checking the conditions of the interior of the property.

However, days later, the complainant detected that the property agency had published photographs it had taken of the inside of the property on different property agency websites, without the consent of the owners of the property in question.

When looking carefully at these images, the parents of the minors observed that they also showed photos of their children, which were perfectly identifiable.

The individual argued that the website of the real estate company complained about did not comply with the following:

  • The regulations for the protection of personal rights.
  • The Law on Information Society Services.

On 14 July 2022, the Spanish Data Protection Agency (AEPD) proceeded to check the existence of the aforementioned images on the property agency in question, and detected the images provided by the complainant, in addition to a fourth photograph.

This photograph was taken of the children’s bedroom , where an image of them could be seen on a chest.

Infringement of the principles contained in the Regulation

Article 4(1) of the General Data Protection Regulation refers to personal data. It defines it as follows:

An identifiable natural person is any person whose identity can be established, directly or indirectly, in particular through an identifier such as a name, an identification number, location data, an online identifier or one or more elements of the physical, physiological, genetic, mental, economic, cultural or social identity of that person“.

Principle of data minimisation

For its part, the AEPD recalled that all processing of personal data must respect the principles that govern it, among which is the principle of data minimisation.

This precept is set out in Article 5.1.c of the General Data Protection Regulation. It states that only data that are necessary for the purposes of the processing, i.e. data limited to what is necessary, shall be processed.

Recital 39 of the GDPR determines that personal data should only be processed if the purpose of the processing cannot reasonably be achieved by other means.

In the present case, the purpose pursued by the real estate agency was none other than to publish the images of the property on real estate portals.

In that manner, it attracts the attention of the consuming public to purchase the property.

Therefore, the processing of the minors’ personal data was not necessary, neither was the purpose pursued.

Principle of proactive responsibility

It was determined that the property agency did not try to prevent minors from appearing in the photographs taken.

Neither did it take subsequent measures to delete their faces, once the images were published on real estate portals.

Article 5.2 GDPR sets out the principle of proactive accountability, which determines that the controller is responsible for compliance with the principle of data minimisation.

The controller shall implement appropriate technical and organisational measures in order to ensure and be able to demonstrate that the processing is in compliance with this Regulation“.

Therefore, the property agency did not comply with its duty to take appropriate measures to demonstrate the lawfulness of the processing of the personal data of the minors concerned.

Property agency fined for exposing images of minors

According to Article 76 of the Organic Law on Data Protection, sanctions and corrective measures shall be imposed when the rights of minors are affected.

The Spanish Data Protection Agency classified the infringement attributed to the property agency as severe.

That is because the purpose of the processing could not stand out from the main activities of its business.

It was also determined that the damage caused was relevant and significant, as it directly affected the rights of minors.

For all these reasons, the Spanish Data Protection Agency imposed a fine of €10,000 on the accused party.

It detected the existence of guilt and a very serious lack of diligence on the part of the property agency regarding the obligations imposed by the GDPR.


Auratech is at your disposal.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *