Spain: AEPD fines Quesería Artenal Ameco €5,000 for violating Article 6 of the GDPR
The Spanish data protection authority ('AEPD') issued, on 3 February 2020, a resolution ('the Resolution') in proceeding PS/00259/2019, fining Quesería Artenal Ameco S.L. €5,000 for violating Article 6(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In particular, the AEPD found that Quesería Artenal Ameco had collected and processed personal data of clients and logged them in the company's IT system without being able to prove that consent was provided. Moreover, the AEPD held that in cases where the data subject denies that consent was given, the burden of proof lies with the processing party, which must collect and keep all necessary documentation to prove that it had obtained consent and that Quesería Artenal Ameco held information on 11 data subjects that had never signed any contract or given consent to data processing. Furthermore, the AEPD found that the fine would amount to €5,000 because it was an intentional action and personal identifiers were affected.
You can read the Resolution, only available in Spanish, here.