Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Spain: AEPD fines Eurocollege Oxford English Institute €90,000 for data protection violations

On November 17, 2023, the Spanish data protection authority (AEPD) published its decision in Proceeding No. PS/00516/2022, in which it imposed a fine of €90,000 on Eurocollege Oxford English Institute S.L. (Eurocollege) for violating the General Data Protection Regulation (GDPR), following an individual's complaint.

Background to the decision

The complainant claimed that in 2022 they signed a training contract with a school named Centro De Estudios Aeronauticos, S.L. (CEAE). The AEPD highlighted that before being enrolled at the school, CEAE required the complainant to:

  • undergo a medical check-up and provide a medical certificate;
  • fill out a health declaration providing personal health information; and
  • provide a criminal record certificate.

Subsequently, the complainant filed a complaint against CEAE on the basis that the requested personal data was unnecessary and excessive.

Findings of the AEPD

Following an investigation, the AEPD found that the personal data requested by CEAE was neither necessary nor a legal requirement by the State Aviation Safety Authority (AESA), which regulates schools such as CEAE. Subsequently, the AEPD determined that CEAE had violated Article 6(1) of the GDPR for processing the complainant's personal data without a legal basis. Further, the AEPD found that CEAE had failed to comply with the data minimization principle under Article 5(1)(c) of the GDPR by collecting unnecessary information from the complainant. In addition, the AEPD stated that CEAE's collection of health data from the complainants was neither proportional nor necessary, contrary to Article 9(2) of the GDPR.

The AEPD noted that Eurocollege had absorbed CEAE in 2023 through a merger and therefore Eurocollege was the responsible party for the purpose of the investigation.

Outcomes

In conclusion, the AEPD imposed the aforementioned fine on Eurocollege.

You can download the decision, only available in Spanish, here and access the European Data Protection Board summary here.