/ Personal Data Protection: Relevant International Jurisprudence in 2023

Maria Ignacia Ormeño Sarralde
Associate Attorney
Alessandri Abogados

Bearing in mind the progress of the personal data bill, we believe it is appropriate to comment on some infractions and sanctions that took place in Spain, the United Kingdom and Colombia. These are cases that could easily take place in Chile. Therefore, we recommend you to review the grounds for the sanctions.

• The Spanish Data Protection Agency (AEPD) through resolution 0048/2023 ruled on the capture of images of the Spanish National Identification Document (DNI), and gave general instructions on how such personal data should be processed. According to the AEPD, the capture of images of the DNI is not the ideal instrument when the sole purpose is to identify persons, because they constitute sensitive data whose leakage, lack of care or improper use may have negative effects for the holder of the personal data. In Chile we are asked for our identity card to prove our identity in many circumstances. In doing so, we share the serial number, whose information we know is confidential and whose leakage or improper use by third parties may lead to crimes or frauds, such as, for example, the usurpation of the identity of the data holder and damages for the holder. That is why, in case of requesting the capture of images of the DNI or Identity Card, as stated by the AEPD, the joint processing of the DNI number and the names and surnames of the holder, especially through images, requires the adoption of strict security measures by the person responsible for personal data.
• The AEPD by resolution EXP202206735 sanctioned a company for the disproportionate use of surveillance cameras in the dining rooms of its workers, rejecting that such recordings could be based on the grounds of protecting the safety of the company and its workers. The fine was €50,000 for infringing on the privacy of its workers, and held that there was no basis for recording its workers while they lunch during their free time. In order to maintain security, bearing in mind the principle of necessity and proportionality of the measure, it is important to take into consideration the recordings made by public or private institutions in Chile of their workers and the circumstances in which they could or should actually be recorded.
• The British Ministry of Defense (MOD) was fined £350,000 by the Information Commissioner’s Office (ICO) for recklessly causing a data leakage that exposed the personal data of citizens of Afghanistan who were attempting to flee the country after the Taliban took control, in 2021.

In this case, the MOD added the email addresses of 245 people who had worked for or with the UK government in Afghanistan into the “To” field of an email, where all recipients could be read. Then, two people who received the email pressed “Reply All” and one of them provided the location of such emails. Going back to what could happen in Chile, so far public bodies are not exempted from the application of the Personal Data Bill, so they could be sanctioned, according to paragraph IV of the bill.

• The AEPD sanctioned a recruitment and personnel selection company for sending spam messages with data obtained through the social network LinkedIn. The company collected data from potential candidates through this social network and then sent them an email offering them the incorporation of their Curriculum Vitae to its database and the possibility of having it for future job offers. In its resolution, the AEPD pointed out that, although LinkedIn data are public, it does not mean that they can be used for any purpose and neither are they data from sources freely available to the public. The above, for Chile, would be a radical change with respect to the purposes for which information is extracted from third party sources, in this case LinkedIn.
• The Superintendence of Industry and Commerce of Colombia fined a telecommunications company for failing to implement adequate and sufficient measures to obtain referral telephone numbers from its customers through a commercial campaign, without prior, express and informed authorization, in order to offer them telecommunications services. The sanction imposed by the Superintendency was accompanied by a set of orders, among which the following stand out: (i) to refrain from continuing to use the databases collected during the promotional campaign, (ii) to proceed with the elimination of the databases associated with this campaign, (iii) to cease any type of activity in which personal data is collected, without the authorization of the holder, by means of this type of commercial strategies, in which third parties are used to collect personal data for commercial purposes. The fine amounted to one thousand three hundred million Colombian pesos (around $303,307,382 Chilean pesos).