Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Spain: AEPD fines Muxers Concept €20,000 for processing personal data without legal basis

The Spanish data protection authority ('AEPD') published, on 6 September 2022, its decision in Proceeding No. PS-00178-2022, in which it imposed a fine of €20,000 on Muxers Concept, S.L., for violation of Article 6 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following a complaint by an employee.

Background to the case

In particular, the AEPD highlighted that the complaint was made to the Judicial Police, following the discovery of an alleged video surveillance camera and sound recorder in the employee toilets, and an audio recording system in the company locker room hidden under a false ceiling.

Findings of the AEPD

Following its investigation, the AEPD noted that the treatment of images through camera or video camera systems in order to preserve the security of people and goods, as well as facilities in employment circumstances, is provided for under Article 22(8) of the Organic Law 3/2018, of 5 December 2018, on the Protection of Personal Data and Guarantee of Digital Rights ('LOPDGDD'). However, the AEPD clarified that the surveillance and control measures must be proportional to the purpose pursued, namely to guarantee security and fulfill labour obligations, with the recording of employees interacting with clients being considered disproportionate to the aim of ensuring compliance with labour obligations. Further, the AEPD detailed that the level of recording in the circumstances amounted to an invasion of privacy. Accordingly, the AEPD found that Muxers had, having carried out the applicable data processing without having a legitimate basis, violated Article 6 of the GDPR.

Outcomes

In light of the above, the AEPD imposed a fine of €20,000 for the aforementioned violation.

You can read the decision, only available in Spanish, here.