Creating fake advertisements with the personal data of others is an infringement of the GDPR and a possible crime

Under recent amendments to the Spanish Criminal Code these actions could also be considered a crime if the advertisements caused a situation of harassment or humiliation for the victim.

The fined individual published three online advertisements under the name, image and telephone number of the complainant, who received numerous calls and WhatsApp messages regarding the services advertised, that were of unpleasant nature. This caused her temporary psychological distress. 

The AEPD was able to identify the individual who had posted the advertisements, in cooperation with the online platform where they were posted, which provided the IP address of the posts, and the mobile operator to which the address was assigned, that was able to provide the personal information of the user it corresponded to on the dates and times of the uploads. 

The initiation agreement of the procedure contemplated the alleged unlawful processing of personal data and was notified to the individual. Since no allegation was received within the established legal deadline, the agreement of initiation was considered as a proposed resolution since it contained a precise pronouncement about the imputed responsibility (in accordance with article 64.2.f) of the Spanish Common Administrative Procedure Law —LPACAP, for its acronym in Spanish—). 

The proposed resolution stated the following: self-pictures, name and telephone number are considered personal data, thus, are protected under the Law. When they are used by others to impersonate our identity publicly (e.g., on the internet) this implies the unlawful processing of personal data in view of the fact that there is no consent on our side or any other legal justification for their use. 

This unlawful processing of data is a serious infringement of the provisions of the GDPR, aggravated, in this particular case, by the purpose of the individual to cause damage to the claimant, and the clear intentionality to publish the advertisements (based on the fact that when the first advertisement was taken down by the platform at the complainant's request, the individual uploaded another one with the same content). According to all proven statements, the AEPD decided to impose a fine of 10,000 Euro. 

Last, as previously mentioned, if the claimant considers that the use of her image in the advertisement without her consent has caused her a situation of harassment or humiliation, she could also resort to criminal proceedings under recently introduced article 172 ter .5 of the Spanish Criminal Code.