On February 13, 2024, the Spanish data protection authority (AEPD) published its decision in Proceeding No. PS-00138-2023, in which it imposed a fine of €50,000 on Iberia Líneas Aéreas de España S.A. Operadora, Sociedad Unipersonal, which was subsequently reduced to €40,000, for violations of the General Data Protection Regulation (GDPR), following a complaint submitted by an individual.

Background to the decision

The AEPD noted that it had responded to a complaint, in which an individual requested from Iberia information regarding the use of their documents and the purpose of processing after copies of their identity documents and marriage certificate were collected for sending to Madrid airport police. The individual sent several communications to Iberia requesting this information and received no response.

Findings of the AEPD

Firstly, the AEPD determined that since Iberia collects and preserves, among others, personal data of natural persons, including their name, surname, and email, it is considered a data controller, as it determines the purposes and means of such activity.

Furthermore, the AEPD rejected Iberia's argument that due to the increased number of requests regarding personal data protection as a result of the COVID-19 pandemic, it was impossible not to make an error in operations, thus the lack of response to the claimant's request. The AEPD also determined that by contacting customer service, the complainant could reasonably expect that their request would be attended to.

Finally, the AEPD found that Iberia infringed Article 15 of the GDPR by not attending to the right of access of the complainant.

Outcomes

In light of the above, the AEPD imposed a fine of €50,000 on Iberia for the violation of Article 15 of the GDPR. The fine was subsequently reduced to €40,000 on condition of the withdrawal or renunciation of any administrative action or appeal against the sanction.

You can read the decision, only available in Spanish, here.