Homeowners' association fined 2,000 euros for posting a private conversation and bank details to community chatroom

The president of a homeowners' association shared a private conversation in a community WhatsApp group and a copy of a bank receipt revealing the homeowner's full name, their bank account number and their postal address.

He violated data protection regulations because he was not authorised to do so and the injured party reported him to the Spanish data protection agency (AEPD).

This data authority has imposed an administrative fine of 2,000 euros on the community of homeowners: 1,500 euros for infringing Article 5.1.f of Spain's general data protection regulations (GDPR). This specific article refers to the principle of integrity and confidentiality.

The other 500 euros are for failing to comply with Article 32, which ensures security in data processing. However, the fine has been somewhat reduced, subject to the withdrawal or waiver of any administrative action or appeal against the fine, resulting in a final payment of 1,600 euros.

The complaint, which was filed by the injured party's father as joint holder of the bank account where the community's bills were paid, was forwarded by the AEPD to the residents' association for analysis and to report within one month on the actions taken to comply with the requirements set out in the data protection regulations.

In its response, the homeowners' association provided an affidavit from the community's secretary-administrator certifying that the WhatsApp group is not the result of a community agreement, but was created at the initiative of one homeowner. It also argued that the community has no control over what is posted on the chat, nor is it responsible for any statements made therein. "It also states that the homeowners' association is not the owner of the telephone number," says the resolution consulted by SUR.

Although the AEPD initially closed the case, finding no evidence of an infringement, an appeal was filed against this decision arguing that, although the message had been deleted from the president's phone, it was still on the devices of the other property owners, rendering the measure ineffective.

The appeal was upheld and, consequently, sanctioning proceedings were initiated. The plaintiff submitted a written statement detailing that the bank statement had been sent to the president, who authorised its publication with the following words: "Show it to whomever you want when you're walking around the community; I have no objections, it keeps you entertained and gives me peace of mind for a day."

The AEPD asserts that it cannot be inferred from this statement that the affected party authorised the dissemination of the conversation via WhatsApp, "but rather, at most, to be shown to individuals".

Moreover, the AEPD also stresses that any homeowners not holding the office of community president may only have access to the community's documentation when it is justified.

"The homeowners' association itself is responsible for the processing carried out for the proper management and operation of said association under the horizontal property regime and it is up to that association to implement appropriate technical and organisational measures to guarantee and demonstrate that the processing complies with the GDPR," states the resolution.