Fine imposed on the Trilema Foundation for publishing images without consent
1. Key issues related to the incident
The procedure arises from a complaint filed with the AEPD in April 2024 against the Trilema Foundation (hereinafter, F.T.), the body managing an educational center, regarding the publication of images and videos of a minor and their mother on social media and the internet, without the necessary consent for this processing.
The complainant, the father of a student enrolled at the educational center managed by F.T., stated that the school had published photographs and videos of his child on various social media (including Instagram, YouTube, Facebook, and the school's website) without having obtained his authorization. The complainant stated that after requesting a copy of the authorization, the center acknowledged that it had none.
According to the documentation of the file, images of the minor and their mother were published on at least four platforms and social networks between 2021 and 2024. The AEPD verified the accuracy of the reported publications in May 2024.
F.T. stated that the center requested consent for the publication of images at the beginning of each school year. However, they acknowledged that for the academic year 2023-2024, no signed consent had been received from the child's mother or father, and therefore, the minor was classified as 'unauthorized.' Regarding previous academic years, F.T. admitted that signed consent was not retained, as a one-year retention policy was applied. Regarding the images of the child's mother, F.T. acknowledged that they had only obtained verbal consent, which was explicitly denied by the interested party.
The AEPD analyzed several aspects of the personal data processing carried out by F.T., particularly the existence of a valid legal basis for the publication of the images (Article 6 of the GDPR), as well as compliance with the principle of data retention limitation (Article 5.1.e of the GDPR), given that the organization's policy provided for the indefinite retention of published images. The procedure concluded with a total fine of €6,000, reduced to €3,600 after F.T. acknowledged their responsibility and voluntarily paid the amount.
2. GDPR failures
Based on the described facts and the investigations conducted, the AEPD considered that F.T. had failed to fulfill several obligations established in the GDPR and determined that two different violations had been committed:
1. Lawfulness of processing – Lack of valid consent (Article 6.1.a of the GDPR)
The legal basis invoked by F.T. for publishing images of students and family members on social media and the internet was the consent of the data subject (Article 6, paragraph 1, letter a), of the GDPR). However, the AEPD found that F.T. could not demonstrate that this consent had been obtained validly.
Regarding the images of the minor, F.T. admitted that during the academic year 2023-2024, no signed consent was received from the parents, although they acknowledged that the minor appeared in at least one published image due to ‘identification error.’ Regarding previous academic years, the organization stated that signed consent had been obtained but that they did not retain the documents, as they applied a one-year retention policy. Furthermore, regarding the images of the child's mother, F.T. recognized that they had only obtained verbal consent, which was not documented in writing, a fact that was expressly denied by the interested party.
The AEPD noted that consent, in accordance with Recital 32 of the GDPR, must be given through a clear affirmative act that reflects a free, specific, informed, and unequivocal indication of the data subject's wishes. Consequently, the AEPD concluded that F.T. had not obtained the valid consent of the parents to publish images of the minor and their mother on social media and the internet and considered that Article 6, paragraph 1, letter a), of the GDPR had been violated, resulting in a fine of €3,000.
2. Principle of storage limitation (Article 5.1.e) of the GDPR)
Article 5.1.e) of the GDPR states that personal data must be kept in a form that allows the identification of data subjects for no longer than necessary for the purposes for which the data are processed. The AEPD found that the consent form used by F.T. until the academic year 2024-2025 expressly indicated that the data would be retained 'indefinitely, unless the data subject requests its deletion.'
The AEPD considered that this practice was excessive and disproportionate, in that the images of minors and adult students published on social media and the school's website could remain available even after the students had reached adulthood or were no longer studying at that center, unless the data subject expressly requested their deletion.
Consequently, the AEPD identified a violation of the principle of retention limitation and imposed a fine of €3,000 for this reason. It is noteworthy that, after the initiation of the proceedings, F.T. modified their retention policy, establishing a maximum period of five years, which was considered a corrective measure adopted by the organization, although it did not exempt them from liability for the violation committed.
3. Conclusions
This decision highlights the AEPD's particular approach to the publication of images and videos of minors on social media and the internet by educational institutions, as well as the need for these institutions to have robust and verifiable mechanisms for obtaining and retaining consent.
The AEPD points out that when the legal basis for processing personal data is the consent of the data subject, it must be free, specific, informed, and unequivocal, and the data controller must be able to demonstrate that it has been obtained at all times. Therefore, it is not sufficient to obtain verbal consent or to assert the existence of authorizations that are not retained or cannot be demonstrated. Furthermore, the retention of personal data — including images — must be subject to defined and proportionate time frames, and an indefinite retention policy is not acceptable.
Informative note from the ECIJA Madrid Data Protection Department.
