Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Spain: AEPD issues €500,000 fine for transparency violations

The Spanish data protection authority ('AEPD') published, on 10 May 2022, its decision in Proceeding No. PS-00037-2022, in which it imposed a fine of €500,000 on an unnamed company, for violations of Article 13 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following a complaint from the Superior Police Headquarters of the Basque Country and subsequent investigation from the AEPD.

Background to the decision

In particular, the AEPD noted that the Superior Police Headquarters sent a notification of an alleged breach of data protection regulations. More specifically, the AEPD highlighted that customers were forced to provide their data (both in writing and by providing a copy of documentation) in order to reserve an appointment for the processing of documentation from the National Police. In addition, the AEPD detailed that the unnamed company failed to provide their clients with all the information required by Articles 13 and 14 of the GDPR. Prior to the claiming for processing, the AEPD explained that the data was also transferred in accordance with the provisions of Article 65(4) of the Organic Law 3/2018 of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights ('LOPDGDD').

Findings of the AEPD

Following its investigation and with the evidence available at the time, the AEPD found that the unnamed company violated Article 13 of the GDPR. In short, the AEPD clarified that when a person arrives at the establishment and their personal data is requested, data controllers are required to provide information established in Article 13 of the GDPR in a simple way. Consequently, the collecting of personal data from appointment applicants to carry out procedures without such disclosure violated Article 13 of the GDPR and was subject to a fine in line with Article 83(5) of the GDPR.

Outcomes

Consequently, the AEPD imposed a fine of €500,000 for the violation, outlining mitigating factors including the non-linkage of the unnamed company's activity with the processing of personal data. In addition, the AEPD concluded that it may require the person in charge to adapt data processing that complies with data protection regulations. Finally, the AEPD stated that where its requirements are not met it may be considered an administrative offence in accordance with the provisions of the GDPR, and such conduct may motivate the opening of a subsequent sanctioning administrative procedure.

You can read the decision, only available in Spanish, here.