Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Spain: AEPD fines Baser Comercializadora De Referencia €150,000 for GDPR violations

The Spanish data protection authority ('AEPD') published, on 11 April 2022, its decision in Proceeding No. PS/00476/2021, fining Baser Comercializadora De Referencia, S.A. €150,000, for violations of Articles 6 and 32 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following a complaint.

Background to the decision

In particular, the AEPD noted that it had initiated an investigation, following a complaint by a customer of the company who had alleged that the contract was changed without their consent. In addition, the AEPD added that Baser Comercializadora claimed that it had received a call from a woman who claimed to live at the claimant's address and was able to provide details necessary to pass verification, which thereby resulted in the changes to the contract.

Findings of the AEPD

In this regard, the AEPD outlined that Baser Comercializadora violated Article 32 of the GDPR for the lack of adequate security procedures which allow for the proper verification of a customer. Furthermore, the AEPD noted that since Baser Comercializadora's security procedures require data such as names and surnames, telephone numbers, and addresses, such data may be available to third parties and used for fraudulent purposes. In addition, the AEPD noted that Baser Comercializadora modified the contract without the consent of the claimant, which implies a violation of Article 6 of the GDPR.


As a result of the violation, the AEPD imposed a fine of €150,000, €100,000 for the violation of Article 6 of the GDPR and €50,000 for the violation of Article 32 of the GDPR.

You can read the decision, only available in Spanish, here.