The Spanish data protection authority ('AEPD') published, on 16  January 2023, its decision in Proceeding No. PS/00214/2022, in which it imposed a fine of €50,000, subsequently reduced to €40,000, on Thomas International Systems, S.A., for violation of Article 9 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following a complaint.

Background to the case

In particular, the AEPD highlighted that the complaint concerned a psychometric test provided by Agroxarxa, S.L., which was run by Thomas International. However, the AEPD noted that, though Agroxarxa provided that candidates were not required to provide sensitive personal data, including race and ethnicity, the psychometric test requested sensitive personal data, adding that its provision was required by the HR department of Agroxarxa.

Findings of the AEPD

Following its investigation, the AEPD found that Thomas International provided the same psychometric test and questionnaire to all clients, including Agroxarxa, that used its services, allowing for the processing of sensitive personal data even when not requested by the client. Accordingly, the AEPD outlined that Thomas International was found to have breached Article 9 of the GDPR.

Outcomes

In conclusion, the AEPD imposed a fine of €50,000 on Thomas International for violation of Article 9 of the GDPR. However, the AEPD provided that Thomas International had already paid the fine in the amount of €40,000, making use of voluntary payment.

You can read the decision, only available in Spanish, here.