AEPD Resolution: EXP202416460

The Incident (The Rental Flat Spy Camera): In October 2024, a tenant living in a shared rental flat in Spain (***DIRECCIÓN.1) discovered that their landlord had installed a 360-degree surveillance camera inside the apartment. This was not a camera monitoring the building entrance or common outdoor areas—it was positioned inside the private living space, capturing continuous footage of the interior of the flat. The camera had motion detection capabilities, automated tracking features, and bidirectional audio (meaning the landlord could both watch and listen to the tenants, and potentially speak to them remotely). The camera's wide-angle lens captured images of all the female tenants moving around the flat, including their access to bedrooms, bathroom, and kitchen—essentially surveilling every aspect of their private domestic life.

The Landlord's Justifications (The Changing Story): When confronted by the tenants about this invasive surveillance, the landlord initially claimed the camera was installed for "security purposes." However, when the tenants filed a formal GDPR complaint with the AEPD, the landlord's story changed dramatically. In their first response to the AEPD (2 January 2025), the landlord submitted a signed declaration claiming: "The camera was never actually installed. It was a 'pre-installation' but when the girls didn't agree, I removed it from the wall. I will send documentation in the coming days showing the tenants confirm there is no camera in the property." This directly contradicted the photographic evidence and WhatsApp conversations the tenants had already provided to the AEPD showing the camera actively installed and operating inside the flat.

The Legal Framework (Why This Is Particularly Serious): The AEPD's resolution includes an extensive legal analysis drawing on Spanish Constitutional Court jurisprudence establishing that rental accommodation—whether a full flat or even a single rented room—constitutes a "domicile" (home) for constitutional purposes, entitled to the highest level of privacy protection under Article 18 of the Spanish Constitution. The regulator cited landmark rulings confirming that hotel rooms, temporary accommodations, and rental properties are protected spaces where individuals have the right to live "free from social conventions, observations, and recordings"—essentially, a sanctuary from surveillance.

The AEPD emphasised that the constitutional right to privacy (Article 18.1) and inviolability of the home (Article 18.2) extend to rental properties, meaning landlords cannot treat tenants' living spaces as their own property to monitor at will. The regulator invoked Constitutional Court precedent stating that the home is protected not just as a physical space, but as "an emanation of the person and their private sphere"—a zone where individuals can develop their personality and identity without external intrusion.

The GDPR Violations (Article 6 - No Lawful Basis): The core legal violation was Article 6 RGPD (Lawfulness of Processing). The AEPD determined that the landlord had no legitimate legal basis for processing the tenants' personal data (video and audio recordings of their private lives). Specifically:

Not Consent: The tenants explicitly objected to the camera—this was not consensual surveillance
Not Contract: Installing spy cameras is not "necessary for the performance" of a rental contract
Not Legal Obligation: No Spanish law requires landlords to surveil their tenants
Not Vital Interests: The tenants' lives were not in danger requiring emergency monitoring
Not Public Interest: Landlords are not public authorities performing official functions
Not Legitimate Interest: Even if the landlord claimed "security" as a legitimate interest, this fails the three-part test because: (1) the intrusion into tenants' intimate privacy is extreme, (2) tenants have a reasonable expectation of privacy in their home, and (3) less intrusive alternatives exist (e.g., external building entrance cameras)

The AEPD Sanction Process: The regulator initiated a formal sanction procedure proposing a €3,000 fine. However, Spanish administrative law (Article 85 LPACAP) provides substantial fine reductions for defendants who:

• Admit liability (20% reduction)
• Pay immediately without contesting (20% reduction)
• Both (40% total reduction)

The landlord chose to admit liability and pay immediately (7 October 2025), reducing the fine from €3,000 to €1,800. Whilst this avoided a drawn-out legal battle, the admission of responsibility created a permanent regulatory record confirming the GDPR violation occurred.

The Enforcement Order: Beyond the fine, the AEPD issued a binding order under Article 58.2(d) RGPD requiring the landlord to prove—within one month of the resolution becoming final—that the camera system has been completely removed or rendered permanently inoperative. Failure to comply with this order would trigger a separate, additional sanction procedure for non-compliance with a regulatory directive (potentially classified as a "very serious" infraction under Article 72.1(m) LOPDGDD).

Based on Resolution EXP202416460, here is the compliance protocol for landlords, property managers, short-term rental operators (Airbnb hosts), and anyone involved in residential accommodation:

1. Rental Accommodation Is a Protected "Home" Under GDPR and Spanish Law

This is the foundational principle established by this case, drawing on constitutional jurisprudence.

Legal Reality: When you rent a property (or even a single room) to someone, that space becomes their domicile for legal purposes. It is no longer "your property to monitor"—it is the tenant's home, entitled to the same privacy protections as a hotel room or a purchased residence.

What This Means:

• Tenants have a constitutional right to privacy and intimacy in rental accommodation
• Surveillance that would be illegal in a hotel room is equally illegal in a rental flat
• "I own the property" is not a defence for invading tenants' privacy
• Short-term rentals (Airbnb, Vrbo, etc.) are subject to the same rules

Action: Recognise that once you rent a space to someone, your ownership rights are limited by their constitutional right to privacy. You cannot use "property rights" to justify surveillance.

2. Interior Surveillance of Rental Properties Is Categorically Prohibited

The AEPD's analysis leaves no room for interpretation: you cannot install cameras inside rented living spaces.

Absolutely Prohibited Locations:

• Living rooms, lounges, common areas inside the flat
• Kitchens
• Hallways or corridors inside the accommodation
• Any location with sight lines to bedroom doors, bathroom entrances, or private spaces
• Anywhere that captures audio of conversations inside the home

Why This Is Illegal:

• No Lawful Basis Under Article 6 RGPD: None of the six legal bases apply to landlord surveillance of tenants' intimate spaces
• Violates Article 18.1 Spanish Constitution: Right to personal and family privacy
• Violates Article 18.2 Spanish Constitution: Inviolability of the home
• Fails Proportionality Test: The intrusion vastly outweighs any claimed security benefit

Action: Remove all cameras from interior spaces in rental properties immediately. If you currently have interior cameras, you are committing an ongoing GDPR violation that could result in daily compounding fines.

3. Permissible Surveillance Locations (Exterior and Common Building Areas Only)

Landlords may install cameras in certain locations, subject to strict conditions.

Permitted Locations (With Proper Signage and Justification):

• Building entrance (external door to the street)
• Shared building hallways (stairwells, lift areas) in multi-unit buildings
• Building perimeter (external walls, parking areas, gardens) where no interior spaces are visible
• Common facilities (shared laundry room, storage areas) if truly communal and not part of an exclusive-use rental

Requirements for Lawful Exterior Surveillance:

1. Clear Signage: Mandatory GDPR-compliant notices at all camera locations stating:
   • "Video surveillance area"
   • Identity and contact details of the data controller (landlord's name/company)
   • Purpose (security of building and property)
   • Rights of data subjects (access, deletion, complaint to AEPD)
   • Where to obtain detailed privacy information

2. Proportional Coverage: Cameras must only capture the minimum area necessary for legitimate security purposes (e.g., a doorway camera should not also capture neighbouring properties or public streets beyond what's unavoidable)

3. Limited Retention: Footage can be stored for maximum 30 days unless needed as evidence of a specific crime

4. Access Controls: Only the landlord/property manager should have access—not shared with third parties without legal basis

Action: If you have legitimate security concerns about building entrances or perimeters, install cameras in those locations only, with proper signage and GDPR-compliant privacy notices.

4. The "Security" Justification Does Not Work for Interior Surveillance

The landlord in this case likely argued the camera was for "security." The AEPD rejected this entirely.

Why "Security" Fails as Justification:

Legitimate Interest Test (Article 6.1(f) RGPD):
To rely on "legitimate interest," landlords must pass a three-part test:

1. Necessity Test: Is surveillance necessary to achieve the security goal?
   Answer: No—external cameras, alarm systems, secure locks, and tenant self-monitoring are less intrusive alternatives

2. Balancing Test: Does the landlord's interest outweigh tenants' privacy rights?
   Answer: No—tenants' constitutional right to privacy in their home vastly outweighs property protection interests

3. Reasonable Expectations: Would tenants reasonably expect this level of surveillance?
   Answer: No—people renting accommodation have a fundamental expectation of privacy

Alternative Security Measures:

• External building entrance cameras
• Alarm systems that tenants control
• Secure locks and access control systems
• Insurance against property damage
• Proper tenant screening and deposits

Action: Do not install interior cameras and claim "security" as justification. This legal basis is categorically rejected for interior rental surveillance.

5. Consent from Tenants Does Not Legitimise Interior Surveillance

Even if tenants "agree" to interior cameras, this likely does not constitute valid GDPR consent.

Why Tenant "Consent" Is Invalid:

Power Imbalance (Recital 43 RGPD): GDPR recognises that consent is not freely given when there is a clear imbalance of power between controller and data subject. Landlord-tenant relationships inherently involve power imbalances because:

• Tenants need accommodation (basic necessity)
• Landlords control access to housing
• Tenants fear eviction or non-renewal if they refuse
• "Agree to cameras or don't rent here" is coercion, not consent

Informed Consent Requirements: Valid GDPR consent must be:

• Freely given (no coercion)
• Specific (clear what is being consented to)
• Informed (tenants understand the implications)
• Unambiguous (explicit agreement, not silence or inaction)
• Withdrawable at any time

Action: Do not attempt to obtain "consent" from tenants for interior surveillance as a condition of renting. Even if they sign a document agreeing, this is likely invalid under GDPR due to the power imbalance.

6. The "Pre-Installation" or "It's Not Recording" Excuses Don't Work

The landlord in this case claimed the camera was never fully installed or wasn't actually recording. This is irrelevant.

Legal Principle: The mere presence of a camera in a private space—even if turned off or not recording—constitutes a violation because:

• It creates a "chilling effect" on tenants' behaviour (they self-censor assuming they're being watched)
• Tenants cannot verify whether it's truly inactive
• The potential for activation creates psychological surveillance even without actual recording

AEPD Position: The regulator did not require proof the camera was actively recording. The installation itself was the violation because it demonstrated:

• Intent to surveil
• Lack of respect for tenant privacy
• Failure to implement appropriate data protection measures

Action: Do not install dummy cameras, inactive cameras, or cameras "for future use" in rental interiors. Their mere presence violates GDPR.

7. Bi-Directional Audio Surveillance Is an Aggravated Violation

The camera in this case had bidirectional audio, meaning the landlord could listen to conversations and potentially speak to tenants remotely.

Why Audio Surveillance Is Particularly Serious:

• Captures even more intimate information than video (private conversations, phone calls, arguments, intimate moments)
• Violates Article 18.3 Spanish Constitution (secrecy of communications)
• May constitute criminal wiretapping under Spanish Penal Code Article 197

Additional Criminal Liability Risk: Whilst GDPR violations are administrative infractions, audio surveillance of private conversations may also trigger:

• Criminal charges under Article 197.1 Spanish Penal Code (unauthorised interception of communications) - punishable by 1-4 years imprisonment
• Civil damages claims for invasion of privacy

Action: Never install audio recording devices in rental properties. This crosses from administrative GDPR violations into potential criminal territory.

8. Mandatory GDPR Obligations for Any Lawful Surveillance

If you do install cameras in permitted exterior locations, you must comply with all GDPR obligations.

Signage Requirements (Article 13 RGPD & Article 22 LOPDGDD):

First Layer (On-Site Signs):

• Visible warning signs at camera locations
• "Video surveillance area" with camera icon
• Identity of controller (your name/company)
• Contact for privacy enquiries
• Reference to where detailed information is available

Second Layer (Detailed Privacy Notice):

• Available at reception, website, or provided to tenants on request
• Must include:
  • Purposes of surveillance (security of building/property)
  • Legal basis (legitimate interest in Article 6.1(f) RGPD)
  • Retention period (maximum 30 days)
  • Rights of data subjects (access, deletion, portability, complaint)
  • Contact details of Data Protection Officer (if applicable)

Record of Processing Activities (Article 30 RGPD):

• Document all surveillance systems
• Log purposes, categories of data, retention periods
• Review and update annually

Data Protection Impact Assessment (Article 35 RGPD):

• Required for surveillance that monitors "publicly accessible areas on a large scale"
• Document risks to tenants' rights and freedoms
• Identify mitigation measures

Action: If you have lawful exterior cameras, create compliant signage, privacy notices, and documentation immediately.

9. Enforcement and Sanctions

This case demonstrates the AEPD's enforcement approach to residential surveillance violations.

Sanctions Applied:

• €3,000 base fine (reduced to €1,800 for early payment and liability admission)
• Mandatory removal order under Article 58.2(d) RGPD
• Permanent regulatory record of GDPR violation

Potential Escalation for Repeat Violations:

• Second violations: €10,000 - €50,000 (no leniency for repeat offenders)
• Failure to comply with removal orders: Additional sanctions under Article 72.1(m) LOPDGDD (very serious infraction)
• Multiple affected tenants: Fines multiplied by number of data subjects
• Combined with criminal charges: Possible imprisonment for audio wiretapping

Tenant Remedies:

• File GDPR complaints with AEPD (free, no lawyer needed)
• Request immediate camera removal
• Potentially claim civil damages for privacy violations
• Withhold rent or terminate lease for breach of habitability (consult Spanish housing lawyer)
• File criminal complaints for wiretapping (if audio surveillance involved)

Action: If you receive an AEPD complaint, immediately remove cameras, admit liability, and pay the fine promptly to minimise sanctions. Contesting obvious violations only increases costs and penalties.

10. Special Rules for Short-Term Rentals (Airbnb, Vrbo, Tourist Apartments)

Many landlords incorrectly assume short-term rentals have different privacy rules. They do not.

Same Rules Apply:

• Interior surveillance is prohibited in Airbnb flats, holiday lets, and tourist apartments
• Guests have the same constitutional right to privacy as long-term tenants
• "It's only for a few days" is not a defence

Platform Requirements:

• Airbnb requires hosts to disclose all surveillance devices in listings
• Undisclosed cameras violate platform terms of service (account suspension)
• Disclosed interior cameras may still violate GDPR (disclosure ≠ consent)

Best Practices for Short-Term Rentals:

• Install exterior cameras only (building entrance, parking, garden perimeter)
• Include camera disclosure in listing description and house rules
• Provide GDPR-compliant privacy notice at check-in
• Never install cameras in bedrooms, bathrooms, or interior living spaces

Action: If you operate short-term rentals, audit your property immediately for interior cameras and remove them. Update your listing disclosures for any lawful exterior cameras.

Summary of Business Risk

This landmark resolution establishes that rental accommodation—whether long-term leases, short-term holiday rentals, or shared flat arrangements—constitutes a protected "domicile" under Spanish constitutional law and GDPR, entitling tenants to absolute privacy from interior surveillance. Landlords cannot install cameras inside rented living spaces under any circumstances, including with tenant "consent," for "security purposes," or as inactive "dummy" cameras, because rental properties are constitutionally protected intimate spaces where individuals have the right to live free from observation. The AEPD's €3,000 base fine (reduced to €1,800 for early admission and payment) sends a clear signal that residential surveillance violations will be prosecuted, with mandatory camera removal orders and potential criminal liability for audio wiretapping. Landlords must remove all interior surveillance systems immediately and limit cameras to exterior building entrances with proper GDPR signage, or face escalating sanctions and permanent regulatory records.