#SomosRyC

Fines imposed since the entry in force of the GDPR

09 de Octubre de 2019

After the first year of application of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation “GDPR”), most supervisory authorities have already imposed sanctions for non-compliance with the GDPR.

Ramón y Cajal Abogados provides here with a summary of the most relevant sanctions imposed in the last months by the European Data Protection Authorities.

We start with an exhaustive analysis on the highest sanction imposed so far by the Spanish Data Protection Agency (250.000 € to the Professional Football League based already on the GDPR), which is completed with the summary table of sanctions imposed by this supervisory authority since May 2018 that appears as an annex to this newsletter.

In addition, we include references to different proceedings opened by other European authorities, without forgetting the recent sanction imposed by the Belgian authority that analyses the conditions for collecting consent for the processing of data in the process of obtaining a loyalty card.

Index

1. The AEPD fines the Professional Football League 250,000 Euros

2. The ICO has imposed the highest penalties so far

3. The CNIL imposes a 50 million fine on Google

4. Other EU supervisory authorities have also imposed sanctions for security breaches (Art. 32 GDPR)

5. The Belgian Data Protection Authority has fined a merchant for non-compliance with the RGPD

6. A Big Four is fined for non-compliance with the provisions of the GDPR

7. In Spain, telecommunications, energy and debt collection companies remain among those receiving the highest fines

8. Other recent EU fines

9. Table of sanctions imposed by the AEPD

1.The AEPD fines the Professional Football League 250,000 Euros

The resolution establishes the highest fine to date in the application of the GDPR. The procedure was initiated following the appearance in the press and media of news about a new feature in the app for mobile devices of the Professional Football League ("LFP", in its Spanish acronym), which could, indiscriminately, capture ambient sounds of the place where the user is, generating some social alarm. The facts were also reported by the association FACUA to the supervisory authority. It should be noted that no data subject or user of the application complained to the AEPD.

The main purpose of the app was to inform the user in real time of news related to their favorite team/s, including alerts of goals, results, etc. In order to detect frauds related to the broadcasting of football matches in public establishments that do not hold the corresponding permits and which, according to the LFP, represent an estimated loss of 150 million Euros for Spanish football system; the app requested the user's authorization to activate the microphone of their device and collect sounds from the place where it was located, as well as information regarding the geolocation of the user.

During the proceedings, LFP mainly made the following allegations:

(i) Users are informed of the functionality through the General Terms of Use and the Privacy Policy that are displayed when installing the app, and they must expressly authorize the treatment through a box unchecked by default.

(ii) Given that the exclusive purpose of this treatment is the detection of fraud, the controversial functionality will be enabled only in users of Android 6 or higher, with a maximum of 50,000 at a national level (out of a total of 10,000,000 users of the application). Outside Spain this functionality is disabled, and within that territory is only activated during the fringes in which the matches take place.

(iii) The app treats the captured sound to convert it into a binary hash; once this acoustic footprint has been generated, the original audio is dismissed and cannot be accessed by the operating system and/or other applications. The process is irreversible and takes place on the user's device before the resulting information is sent to the external company that is in charge of contrasting these fingerprints against those provided by the LFP.

(iv) Consequently, the LFP considers that there is no processing of personal data at this stage of the process, either in terms of the audio that is accessed through the microphone, or in terms of the information relating to the IP address and the identifier that is sent to the servers of the external collaborator (as IP addresses are processed for the sole purpose of establishing the interconnection between the server and the mobile devices).

(v) In the case of the location data concerned, it is transformed into heat maps to identify the most fraudulent territories.

(vi) Prior to the development of the new functionality, the LFP took a number of accountability measures: it requested two legal reports from law firms, held internal privacy by design meetings onwards, and an analysis of the need for a Privacy Impact Assessment and Risks Assessment.

(vii) Users can revoke their consent at any time in the mobile device settings.

The AEPD, however, understands that the LFP carries out a processing of personal data. As to the sound, establishes that"(...) in the first stage of the process, it can be stated that, if the collection takes place during a conversation where personal data is involved, we are faced with the collection of personal data and, therefore, with the processing of personal data. (...) the process of conversion into a fingerprint constitutes in itself one of the phases of the entire processing, which begins to take place from the collection of the information, independently of the subsequent processing, and finally the sending or communication for comparison (...)".

With regard to the IP addresses that the LFP also collects, the AEPD considers that "it is admitted that this was the IP address of the user's device, but it does not indicate the specific moment when it ceased to be used". On the other hand, in accordance with the privacy policy of the LFP available until 26 March 2019, this controller stated that it would process "(...) IP address, operating system, browser ID, browsing activity and other information about how they interact with our LaLiga Environment". In addition, the AEPD inspection deparment revealed that the information transmitted to the external collaborator for comparison included "the fingerprint resulting from the conversion of the audio, the IP address of the device, a specific Identifier that assigns the application to the user and the user agent (...)".

The main reproach, however, is the lack of transparency towards the user of the application. Although he gives his consent for the treatment of the information accessed through the microphone, the fact “that, at a later moment, the processing of the captured audio takes place, and that it is done in one way or another, depends solely on the will of [the LFP], because as is deduced from the report itself that is provided, the computer environment is easily modifiable by changing the programming with the determination of some values or others".

In the opinion of the AEPD, these broad configuration capabilities of the LFP, together with the lapse between the acceptance of the described functionalities and the moment in which the treatment actually takes place, "makes it necessary to adapt the principle of transparency to this type of treatment, and it is essential to inform with certainty and transparency about the time when the treatment will take place -both when the application is installed and during the collection of information-". This is especially the case for more intrusive treatments such as sound pickup through the microphone, or geolocation.

Article 83 GDPR classifies the infringement of the right to transparency as very serious, so that it entails fines up to EUR 20,000,000, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

In quantifying the penalty, the AEPD accepted only one of the mitigating circumstances invoked by the LFP, relating to the display of an icon each time the device activated geolocation. In contrast, a number of aggravating circumstances were found, such as:

(i) the nature of the infringement (the infringement of an essential informing principle in the processing of personal data is of a special significance);

(ii) the seriousness of the infringement (given the persistence over time, more users could be affected within the limit of 50,000 simultaneous users configured by the LFP);

(iii) the number of affected (since the LFP had the capacity to implement the functionality in the devices of any user who had granted the permits);

(iv) the intentionality of the infringement and the degree of accountability of the LFP (which apparently did not follow all the recommendations of the legal reports requested. That request in itself does not imply compliance with the applicable rules);

(v) although the LFP does not have as its main business purpose the processing of personal data, it does "protect its financial assets from fraud (...) through invasive privacy techniques (...) without the certainty of the effectiveness of such system"; and

(vi) the persistence in the action of the LFP, "which eliminates the only extenuating circumstance observed in the initial agreement, to turn it into a highly qualified aggravating circumstance".

The joint evaluation of all the circumstances described resulted in a increase from the EUR 50,000 of the proposed resolution to the EUR 250,000 finally imposed. This amount represents around 1% of the total worldwide annual turnover of the preceding financial year.

Volver

2.- The ICO has imposed the highest penalties so far

The fine imposed on the LFP does not, however, match the amounts of the sanctions imposed by other control authorities. In line with the first relevant sanction under the new regulatory framework, i.e. the fine of 50 million euros imposed by the National Commission of Informatics and Liberty ("CNIL"), the French supervisory authority, on Google, the Information Commissioner´s Office ("ICO"), the UK supervisory authority, has issued two million-dollar motions for resolutions, both following significant security breaches.

Both proceedings are pending final allegations and resolution, but they are a clear indication of the increase in potential sanctions under the GDPR (especially when the competent enforcement authority calculates the amounts of fines over the overall total annual turnover of the sanctioned company).

The first case concerns British Airways, which suffered an attack involving the redirection of traffic to a fraudulent website where the attackers harvested data from nearly 500,000 customers. The categories affected include access credentials, credit cards, reservation data, and other identification data (although the company initially stated that data had been affected for some 380,000 transactions that did not include passport or travel data). During the investigation serious deficiencies were detected in the security measures implemented by British Airways, so that the proposed sanction slightly exceeds 200 million euros, equivalent to 1.5% of global turnover during the previous year (2017).

The second procedure brings about the security incident suffered by the Marriott hotel chain notified in November 2018, and by which the data of nearly 339 million customers worldwide were exposed. The vulnerability is believed to originate from a hotel group acquired by Marriott in 2016 (Starwood), which could have been compromised since 2014. The eventual sanction would be imposed on Marriott for a lack of diligence in both Starwood's pre-purchase examination and in implementing its own security measures. The ICO's proposal includes an economic penalty of just over 100 million euros, which represents around 3% of global turnover in 2018.

Volver

3.- The CNIL imposes a 50 million fine on Google

On January the French supervising authority imposed what was at the time the highest fine within the EU under the GDPR. According to the CNIL, Google had failed to comply with its transparency obligations, as well as to obtain data subjects’ consent pursuant to art. 4 GDPR.

The complaint was initially brought by two organisations from Austria (None of Your Business) and France (“La Quadrature du Net”), concerned about the Google account creation process when setting up an Android smartphone. According to the claimants, Google had failed to (i) provide sufficient information, in a clear and plain language, of the purposes of the processing, as well as (ii) obtain user’s consent to process their data for personalized marketing purposes.

In its ruling, the CNIL considers that the information provided by Google was not easily accessible: it was spread among several documents, each of which contained multiple links to additional information and requiring up to 5 or 6 user clicks to be accessed. Furthermore, the description of the data categories subject to processing and the purposes thereof were too vague. When obtaining consent, Google allowed users to modify a limited set of options and the displayed boxes were checked by default.

The CNIL also found that Google had not provided clear information on (i) the legal basis supporting its processing activities and (ii) the criteria that would allow users to determine retention periods on certain type of data.

The French supervising authority took into consideration several aggravating circumstances when imposing the fine, such as the fact that GDPR violations (i) concerned its essential principles and (ii) are still occurring. Additionally, Android OS has a significant presence in the French market and the privacy policies presented to users rule a variety of services provided by Google to all account holders.

Volver

4.- Other EU supervisory authorities have also imposed sanctions for security breaches (Art. 32 GDPR

The inadequacy of security measures implemented by controllers has also been subject to sanctions in other Member States. In Romania, for example, 15,000 euros have been imposed on the World Trade Center Bucharest hotel for keeping a list unattended in order to verify which guests ate breakfast.

Additionally, in France and Lithuania SERGIC and YSC Mistertango have been sanctioned with 400.000€ and 61.500€, respectively, for hosting personal data on their servers without implementing adequate security measures to prevent the information from being freely available on the Internet. The appreciable disparity between the amounts is due to the fact that in both cases there were other breaches of regulations and circumstances of different gravity.

Also in France, the French Data Protection Authority issued a 180.000 € fine against insurer Active Assurances on the basis that the company had “breached its obligation to secure personal data provided for by Article 32" of the GDPR. The fact dates for the year 2018, when an Active Assurance customer claimed that he was able to access personal data of other customers (among them, driver’s licenses, registration cards or bank identification records) only changing the numbers at the end of the URL in the browser.

The CNIL informed the company which stated that measures to rectify the cited infringements have been implemented. However, on an on-site inspection, CNIL found that the measures taken were not sufficient. According to the CNIL, Active Assurances should have instructed the customers to use strong passwords and it should not have sent them the passwords in plain text by e-mail.

Volver

5. The Belgian Data Protection Authority has fined a merchant for non-compliance with the RGPD

The Belgian data protection authority imposed a fine of 10,000 € on a merchant for the disproportionate use of the electronical identity card for the purpose of creating a loyalty card. The complainant refused to provide him with such document so the benefit of the card was denied to him, even when he offered to provide the merchant with his personal data.

In particular, the authority has considered that: (I) the principle of data minimization was infringed (the merchant needed data such as name, surname, address, etc., but he also wanted to have access to the photo and the barcode linked to the national registration number), (II) and the consent given could not be considered as freely given because no alternative was offered to the customers: if they refused to allow the use of their electronic identity card, they could not enjoy advantages and discounts.

Volver

6.- A Big Four is fined for non-compliance with the provisions of the GDPR

The Hellenic Data Protection Authority has imposed its first sanction for non-compliance with the General Data Protection Regulation (“GDPR”) on PriceWaterhouseCoopers (“PWC”) which amounts to 150.000€.

PWC processed employee’s personal data violating the principles of accountability, lawfulness, fairness and transparency.

PWC made the false impression on employees that their personal data were being processed in accordance with the legal basis of consent, while in fact they were processing it with another legal basis, about which employees were never informed, in breach of the principle of transparency included in Article 5 GDPR and consequently, in breach of the obligation to provide information pursuant to Articles 13 and 14 GDPR.

For this reason, the Greek Authority has decided to impose a fine of 150.000€ on PWC in accordance with Article 83 GDPR and has also decided to give the company a period of three months in which to correctly adapt the processing operations of its employees' personal data, as well as to ensure the correct application of the principles infringed, evidencing their compliance.

This sanction is the first fine for breach of the GDPR to one of the Big Four.

For more information click on the following link.

Volver

7.- In Spain, telecommunications, energy and debt collection companies remain among those receiving the highest fines

Returning to Spain, the rest of the fines imposed by the AEPD involve smaller amounts, similar to those that would have been imposed under the previous regulatory framework. In this sense, the sanctions for errors of the controller for which receipts or invoices are demanded from the wrong data subject stand out due to their frequency.

Endesa Energía XXI has been sanctioned for an error in the modification of the data of a contract and, by acknowledging its responsibility and voluntarily paying the sanction, reduced the amount of the sanction by 40%, which was finally 60,000 euros. In most of the proceedings for this type of error, the entity sanctioned is Vodafone, which used the same mechanisms to end up paying 28.000 euros, 36,000 euros and 36,000 euros, respectively.

On the other hand, the AEPD continues to sanction, under the protection of the GDPR, non-compliance related to the processing of debtor data, whether it be the inclusion of data subject in common files of debtors (60,000 euros to Yoigo), or for exceeding the limits in the processing of data and claiming payment through means and addresses not provided by the data subject to the creditor collected from the Internet (60.000 a Gestión de Cobros, Yo Cobro).

Volver

8.- Other recent EU fines

· In France, Uniontrad Company has been fined EUR 20,000 for failing to comply with the requirements on the use of video surveillance systems. The sanctioned entity ignored the warnings of the CNIL regarding the limitation of the time during which employees were recorded and the provision of adequate information of the processing.

· In Denmark, IDdesign (a furniture manufacturer) has been fined EUR 200,000 for failing to comply with the principle of storage limitation and for over-processing data from around 385,000 customers.

· In Romania the supervisory authority has sanctioned Unicredit Bank with EUR 130,000 for a violation of the principles of privacy by design and by default, since its customers could access the ID and address of those payers who made the transaction with accounts of other entities.

· In Hungary, a festival organiser has been fined EUR 92,000 for failing to comply with the principles of purpose limitation and storage limitation. The sanctioned entity defended its legitimate interest in ensuring the safety of the attendees (in particular, against terrorist attacks) but the supervisory authority considered that the processing activities deployed to identify the interested parties were disproportionate.

· In Belgium, the use of e-mail addresses to which a mayor had access in the exercise of his functions for electoral purposes has been sanctioned with EUR 2,000.

· In Germany, a police officer has been fined EUR 1,400 for misusing the data of a data subject without duly justifying the link between his enquiries and the exercise of his duties.

Volver

9.- Table of sanctions imposed by the AEPD

Ramón y Cajal Abogados has analyzed the different fines and warnings imposed by the AEPD since the application of the GDPR. You can find the analysis below:

Nº	Keywords	Facts	Section of GDPR infringed	Company /individual	Penalty	Link
1	Apps, breach of transparency principle	The accused entity collected, through a mobile app, information of geolocation and microphones from users' mobile phones. The objective was to detect fraud in the consumption of televised football in unauthorized locations. The AEPD understands that the access to the microphone and location data is opaque and that the app should warn the user each time the controversial feature is activated. The LFP argues that it obtained the informed consent of the users and has announced that it will appeal the decision to the competent court (“Audiencia Nacional”).	Art. 5.1.a) GDPR, typified in art. 83.5 a) GDPR	Liga Nacional de Fútbol Profesional (LFP)	250.000€	https://www.aepd.es/resoluciones/PS-00326-2018_ORI.pdf
2	Energy, breach of integrity and confidentiality principle	ENDESA disclosed a third party's personal data by charging the claimant's bank account with a gas receipt that did not correspond to her, but to the third party.	Art. 5.1.f) GDPR, typified in art. 83.5 a) GDPR	ENDESA ENERGÍA XXI, S.L.U.	Initial proposed fine: 100.000€ Final fine: 60.000€ due to responsibility recognition and prompt payment.	https://www.aepd.es/resoluciones/PS-00074-2019_ORI.pdf
3	Financial solvency/ Creditworthiness Files, breach of accuracy principle	Due to an error in the entry of the telephone number, the claimant received calls from XFERA MÓVILES, S.A. requiring a debt of which it was not the owner and warning it that it would be recorded in a creditworthiness file.	Art. 5 GDPR, typified in art. 83.5 GDPR	XFERA MÓVILES, S.A. (YOIGO)	65.000€	https://www.aepd.es/resoluciones/PS-00094-2019_ORI.pdf
4	Financial solvency/ creditworthiness files, lack of lawfulness	AVON issued invoices with the personal data of the claimant and these were included in a financial solvency/creditworthiness files. AVON could not prove its lawfulness for the processing of such data, since the contract that would serve as a basis was not signed and its formalization was denied by the data subject.	Art. 6 GDPR, typified in art. 83.5 GDPR	AVON COSMETICS S.A.U	60.000€	https://www.aepd.es/resoluciones/PS-00159-2019_ORI.pdf
5	Financial solvency/ creditworthiness files, breach of accuracy principle	The company included the claimant's personal data in a creditworthiness file (BADEXCUG) although the claimant had already settled its debt.	Art. 5.1 d) GDPR, typified in art. 83.5 GDPR	XFERA MÓVILES, S.A. (YOIGO)	60.000€	https://www.aepd.es/resoluciones/PS-00011-2019_ORI.pdf
6	Debts’ recovery, breach of integrity and confidentiality principle	The entity (dedicated to collecting debts) sent emails to the email addresses that the claimant provided when contracting the credit, but also to the institutional email address of her workplace, which could be accessed by other people besides her.	Art. 5.1.f) GDPR, typified in art. 83.2 GDPR	GESTIÓN DE COBROS, YO COBRO, S.L.	60.000€	https://www.aepd.es/resoluciones/PS-00121-2019_ORI.pdf
7	Telecommunications, lack of lawfulness (consent)	Processing of the claimant's ID number without his consent, because it was associated with another client. In addition, he could access the profile of that third client without authorization and due to VODAFONE’s negligence.	Art.6.1.a) GDPR, typified in art. 83.5 a) GDPR	VODAFONE ESPAÑA, S.A.U.	Initial proposed fine: 60.000€ Final fine: 36.000€ due to responsibility recognition and prompt payment.	https://www.aepd.es/resoluciones/PS-00056-2019_ORI.pdf
8	Breach of security of processing	The claimant, when accessing the company's customer area through her mother's username and password, was presented with the data of a third party without the latter's consent.	Art. 32 GDPR, typified in art. 83. 4 a) GDPR	VODAFONE ONO, S.A.U	Initial proposed fine: 60.000€ Final fine: 48.000€ due to prompt payment.	https://www.aepd.es/resoluciones/PS-00212-2019_ORI.pdf
9	Telecommunications, breach of integrity and confidentiality principle	VODAFONE ONO sent an email to a large number of clients without making use of the blind copy mechanism.	Art. 5.1.f) GDPR, typified in art. 83.5 a) GDPR	VODAFONE ONO, S.A.U.	Initial proposed fine: 60.000€ Final fine: 36.000€ due to responsibility recognition and prompt payment.	https://www.aepd.es/resoluciones/PS-00092-2019_ORI.pdf
10	Telecommunications, breach of integrity and confidentiality principle	VODAFONE did not respect the precautionary period between the cancellation of a user of a telephone number and the assignment of the same number to a new user. Therefore, in the "My Vodafone" application, the personal data of the old client continued to appear despite the fact that the telephone number corresponds to a new user.	Art. 5.1.f) GDPR, typified in art. 83.5 a) GDPR	VODAFONE ESPAÑA S.A.U.	Initial proposed fine: 60.000€ Final fine: 36.000€ due to responsibility recognition and prompt payment.	https://www.aepd.es/resoluciones/PS-00215-2019_ORI.pdf
11	Breach of lawfulness, fairness and transparency principle	TELEFONICA charged the claimant's bank account with two invoices for the services he had contracted, showing the personal details and address of another client. The entity has not rectified the error yet.	Art. 5.1.a) GDPR, typified in art. 83.2 GDPR	TELEFONICA MOVILES ESPAÑA, S.A.U.	Initial proposed fine: 60.000€ Final fine: 48.000€ due to responsibility recognition and prompt payment.	https://www.aepd.es/resoluciones/PS-00173-2019_ORI.pdf
12	Breach of integrity and confidentiality principle	VODAFONE disclosed the claimant's personal data to a third party via an SMS containing a link to the claimant's "Purchase Summary" where her data could be accessed.	Art. 5.1.f) GDPR, typified in art. 83.5 a) GDPR	VODAFONE ESPAÑA, S.A.U.	Initial proposed fine: 48.000€ Final fine: 30.000€ due to responsibility recognition and prompt payment.	https://www.aepd.es/resoluciones/PS-00205-2019_ORI.pdf
13	Telecommunications, breach of accuracy principle	The complainant received more than 200 SMS because VODAFONE associated his phone number with other customers and used it, by mistake, to test the sending of messages and check the quality of the online store.	Art. 5.1.d) GDPR, typified in art. 83.5 GDPR	VODAFONE ESPAÑA, S.A.U.	Initial proposed fine: 45.000€ Final fine: 27.000€ due to responsibility recognition and prompt payment.	https://www.aepd.es/resoluciones/PS-00411-2018_ORI.pdf
14	Telecommunications, lack of lawfulness (consent)	The entity charged the claimant for a Netflix service that it had not contracted. VODAFONE was not able to prove that the affected party had given its consent, nor conducted the minimum diligence required to verify the identity of the signatory.	Art. 6.1 GDPR, typified in art. 83.5 GDPR	VODAFONE ESPAÑA, S.A.U.	40.000€	https://www.aepd.es/resoluciones/PS-00064-2019_ORI.pdf
15	Telecommunications, lack of lawfulness	VODAFONE invoiced a mobile phone user, who was not any longer customer of such entity.	Art. 6.1 GDPR, typified in art. 83.5 GDPR	VODAFONE ESPAÑA, S.A.U.	Initial proposed fine: 35.000€ Final fine: 21.000€ due to responsibility recognition and prompt payment.	https://www.aepd.es/resoluciones/PS-00087-2019_ORI.pdf
16	Video surveillance, breach of minimisation principle	Installation of video surveillance system inside a building without an informative sign. The employees had not been informed about their data protection rights. The establishment did not have a form available for clients to exercise their rights.	Art. 5.1 c) GDPR, typified in art. 83.5 GDPR	Individual	20.000€	https://www.aepd.es/resoluciones/PS-00150-2019_ORI.pdf
17	Breach of lawfulness, fairness and transparency principle	The claimant was recorded at his workplace using another employee's mobile phone and without his consent. These recordings were provided as evidence to justify the disciplinary sanction imposed on him.	Art. 5.1 a) GDPR, typified in art. 83.5 GDPR	SANTI 3000, S.L. (RESTAURANTE LA OLIVA)	Initial proposed fine: 12.000€ Final fine: 9.600€ due to prompt payment.	https://www.aepd.es/resoluciones/PS-00401-2018_ORI.pdf
18	Video surveillance, breach of minimisation principle	After an inspection by the Local Police, they found an image-recording device in the corridor area of a building in order to control the workers inside the residence. In addition, there was no informative sign.	Art. 5.1.c) GDPR, typified in art. 83.5 a) GDPR	Individual	9.000€	https://www.aepd.es/resoluciones/PS-00050-2019_ORI.pdf
19	Video surveillance, breach of minimisation principle	Installation of a video surveillance system consisting of a series of security cameras oriented to the public road without just cause.	Art. 5.1.c) GDPR, typified in art. 83.5 a) GDPR	AMADOR RECREATIVOS, S.L. (Playroom TIKI TAKA)	Initial proposed fine: 6.000€ Final fine: 3.600€ due to responsibility recognition and prompt payment.	https://www.aepd.es/resoluciones/PS-00135-2019_ORI.pdf
20	Telecommunications, financial solvency/creditworthiness files, breach of accuracy principle	VODAFONE included the claimant's data in a financial solvency/creditworthiness files, despite the existence of a complaint previously filed by the data subject to the Telecommunications Authority ("Secretaría de Estado para el Avance Digital - SEAD") for discrepancies in the application of a call voucher signed with the operator. Such claim had been confirmed by SEAD.	Art. 5.1.d) GDPR, typified in art. 83.5 GDPR	VODAFONE ESPAÑA S.A.U.	5.000€	https://www.aepd.es/resoluciones/PS-00331-2018_ORI.pdf
21	No purpose limitation, breach of integrity and confidentiality principle	The claimant filled out a form with his personal data to request information about an offer, and was added to a WhatsApp group without his consent.	Art.5.1.b) and f) GDPR, typified in art. 83.5 a) GDPR	DESSAU ARTE INMOBILIARIO, S.L. (CENTURY 21 ARQUITECTURA)	Warning	https://www.aepd.es/resoluciones/PS-00195-2019_ORI.pdf
22	Video surveillance, breach of minimisation principle	Installation of a recording device that expressly directed the claimant's workplace in a disproportionate manner, affecting the claimant´s privacy.	Art.5.1.c) GDPR, typified in art. 83.5 a) GDPR	ELECTROMECANICA REYES, S.L	Warning	https://www.aepd.es/resoluciones/PS-00123-2019_ORI.pdf
23	Video surveillance, breach of minimisation principle	Installation of a video surveillance system that disproportionately captured images of public space.	Art. 5 GDPR, typified in art. 83.5 GDPR	METROPOLITAN SPAIN, SL (Gym)	Warning	https://www.aepd.es/resoluciones/PS-00341-2018_ORI.pdf
24	Breach of integrity and confidentiality principle	An information note showing a neighbour's debts was published in a place of the Community accessible by neighbours and third parties.	Art. 5.1.f) GDPR, typified in art. 83.5 GDPR	Community of neighbours	Warning	https://www.aepd.es/resoluciones/PS-00084-2019_ORI.pdf
25	Communication of personal data, lack of lawfulness (consent)	The owners of a workshop communicated the claimant's details to the third party without his consent, regarding some irregularities of an invoice. The third party contacted him to “resolve the situation” by means of coercion.	Art. 6.1.a) GDPR, typified in art. 83.5 a) GDPR	Individual	Warning	https://www.aepd.es/resoluciones/PS-00105-2019_ORI.pdf
26	Video surveillance, lack of information	Installation of a video surveillance system in a vehicle workshop without having the informative sign that notifies the data subjects that there is a processing of personal data.	Art. 13 GDPR, typified in art. 83.5 b) GDPR	FORMAUTO ALVAREZ FERNANDEZ, S.L.	Warning	https://www.aepd.es/resoluciones/PS-00136-2019_ORI.pdf
27	Telecommunications lack of lawfulness	The company assigned the claimant a payment for a telephone line to the claimant without his consent. Some personal data concerning the claimant in the entity's database did not belong to him, but to an unknown third party.	Art. 6.1 GDPR, typified in art. 83.5 a) GDPR	VODAFONE ESPAÑA, S.A.U.	Warning	https://www.aepd.es/resoluciones/PS-00086-2019_ORI.pdf
28	Communication for marketing purposes, lack of lawfulness (consent)	The company used the complainant's email address to send her newsletters when she had already withdrawn her consent and the company confirmed that the unsubscription had been completed.	Art.6.1.a) GDPR, typified in art. 83.5 a) GDPR	ANIMA NATURALIS	Warning	https://www.aepd.es/resoluciones/PS-00400-2018_ORI.pdf
29	Lack of information	The website portaenrere.cat did not offer any information on privacy policy, legal notice, or the way in which it carried out the processing of personal data of people who subscribed to it.	Art. 13 GDPR, typified in art. 83.5 b) GDPR	Individual	Warning	https://www.aepd.es/resoluciones/PS-00100-2019_ORI.pdf
30	Video surveillance, breach of minimisation principle	The claimed installed a video surveillance system on the balcony of his home in order with security purposes, which captured images of the public road disproportionately and unnecessarily in relation to the purpose.	Art. 5.1.c) GDPR, typified in art. 83.5 a) GDPR	Individual	Warning	https://www.aepd.es/resoluciones/PS-00416-2018_ORI.pdf
31	Video surveillance, breach of minimisation principle	The claimed installed a video surveillance system in their dwelling that could capture images of the public road and the neighbouring dwelling.	Art. 5.1.c) GDPR, typified in art. 83.5 a) GDPR	Individuals	Warning	https://www.aepd.es/resoluciones/PS-00349-2018_ORI.pdf
32	Lack of information	The claimed collected personal data from users to send them confirmation of the products selected in the shopping cart and to contact them in case of incidents, without providing the information required by the GDPR.	Art. 13 GDPR, typified in art. 83.5 b) GDPR	LIVING TERRITORIWEB, S.L.	Warning	https://www.aepd.es/resoluciones/PS-00419-2018_ORI.pdf
33	Video surveillance, breach of minimisation principle	Installation of cameras that obtained images of a traffic area for vehicles on a public road.	Art. 5.1.c) GDPR, typified in art. 83.5 a) GDPR	DUNNES STORES ANDALUCIA S.A	Warning	https://www.aepd.es/resoluciones/PS-00130-2019_ORI.pdf
34	Video surveillance, out-of-date information	Installation of a video surveillance system that recorded images on a continuous basis. There was an informative sign with a link to the page of the company that carried out the installation on it; but the website did not include the information required by the GDPR.	Arts. 12.1 and 13 GDPR, typified in art. 83.5 b) GDPR	KIOROMAR, S.L.	Warning	https://www.aepd.es/resoluciones/PS-00352-2018_ORI.pdf
35	Video surveillance, breach of minimisation principle	Installation of a video surveillance system to obtain images of the public road due to a "bad relationship" between the claimed and his neighbour, which does not justify the recording of the public road, which also affects third parties.	Art. 5.1 c) GDPR, typified in art. 83.5 a) GDPR	Individual	Warning	https://www.aepd.es/resoluciones/PS-00077-2019_ORI.pdf
36	Minors, lack of lawfulness (consent)	The association photographed the claimant's children to commercialize calendars without asking for the specific consent of their parents.	Arts. 6.1 a) and 8 GDPR, typified in art. 83 GDPR	ASOCIACIÓN DE MADRES Y PADRES DEL COLEGIO MARÍA BLANCHARD (Parents’ association of a school)	Warning	https://www.aepd.es/resoluciones/PS-00089-2019_ORI.pdf
37	Public entity, breach of integrity and confidentiality principle	The fined entity exposed in its notice board (located in the public road) a list of fourteen people with their corresponding ID numbers and signatures without their consent.	Art. 5.1.f) GDPR, typified in art. 83.5 a) GDPR	CONCEJO DE GARISOAIN (Public regional administration)	Warning	https://www.aepd.es/resoluciones/PS-00066-2019_ORI.pdf
38	Video surveillance, breach of minimisation principle	Installation of a video surveillance system that recorded images of the holder’s porch and the public street, but the only purpose was receiving images of the private surroundings.	Art. 5.1.c) and 6 GDPR, typified in art. 83.5 a) GDPR	Individual	Warning	https://www.aepd.es/resoluciones/PS-00003-2019_ORI.pdf
39	Video surveillance, breach of minimisation principle	Installation of a video surveillance system, with one of the cameras focusing disproportionately on the dwelling that borders the one of the defendant, without the appropriate informative sign.	Art. 5.1.c) GDPR, typified in art. 83.5 a) GDPR	Individual	Warning	https://www.aepd.es/resoluciones/PS-00090-2019_ORI.pdf
40	Video surveillance, breach of minimisation principle	Installation of a video surveillance system that recorded images both from the public street and the establishment’s terrace.	Art. 5.1.c) GDPR, typified in art. 83.5 a) GDPR	GURMELIA S.C. (TAPERÍA ALBEDRÍO)	Warning	https://www.aepd.es/resoluciones/PS-00354-2018_ORI.pdf
41	Video surveillance, breach of minimisation principle, lack of lawfulness	Installation of a video surveillance system outside of the owner’s dwelling, focusing on the balconies of the adjoining dwellings and the public street.	Art. 5.1 c) and 6 GDPR, typified in art. 83.5 a) GDPR	Individual	Warning	https://www.aepd.es/resoluciones/PS-00010-2019_ORI.pdf
42	Communication for marketing purposes, lack of transparency and information	The controller, when collecting personal information, did not provide an option to object the processing of personal data for direct marketing purposes.	Art. 12 GDPR, typified in art. 83.5 b) GDPR	TALLERES AUTOPINTURA JIMENEZ, S.L.	Warning	https://www.aepd.es/resoluciones/PS-00429-2018_ORI.pdf
43	Workplace, breach of integrity and confidentiality principle	The entity sent an email to the claimant and three other colleagues about a work-related issue, without making use of the blind copy mechanism.	Art. 5.1. f) GDPR, typified in art. 83.5 a) GDPR	QUALITY TECHNOLOGY SOLUTIONS ALPE, S.L.	Warning	https://www.aepd.es/resoluciones/PS-00040-2019_ORI.pdf
44	Workplace, breach of accuracy principle	Claimant’s image was still linked to the company’s web page and web browsers despite the fact that he did not work there since two years before.	Art. 5.1 d) GDPR, typified in art. 83.5 a) GDPR	CIBES LIFT IBERICA, S.L.	Warning	https://www.aepd.es/resoluciones/PS-00054-2019_ORI.pdf
45	Breach of integrity and confidentiality principle	The entity gave its partners access to documentation with personal data of the complainant and the partners he proposed as witnesses in the disciplinary proceedings that the entity initiated against him.	Art. 5.1 f) GDPR, typified in art. 83.5 a) GDPR	CLUB RECREATIVO DEPORTIVO PARQUE CARTUJA (Sports club)	Warning	https://www.aepd.es/resoluciones/PS-00037-2019_ORI.pdf
46	Video surveillance, breach of minimisation principle	Installation of a camouflaged video surveillance system with cameras looking at the public street, monitoring the entrance of the claimant’s building and without the proper informative sign.	Art. 5 and 6 GDPR, typified in art. 83.5 a) GDPR	Individual	Warning	https://www.aepd.es/resoluciones/PS-00334-2018_ORI.pdf
47	Video surveillance, lack of information, breach of minimisation principle	Installation of unmarked video surveillance system filming people passing through the street without just cause.	Art. 5.1.c) and 6 GDPR, typified in art. 83.5 a) GDPR	CALVADOS 14, S.L.	Warning	https://www.aepd.es/resoluciones/PS-00022-2019_ORI.pdf
48	Breach of integrity and confidentiality principle, security measures, security breach	The employees of the cleaning service of the school threw documents into a container, including student’s examinations with personal data on them, without taking appropriate measures for the destruction of such documents.	Art. 5.1. f) GDPR, typified in art. 83.5 a) GDPR	NOBELIS, SOCIEDAD COOPERATIVA MADRILEÑA (Private educational center)	Warning	https://www.aepd.es/resoluciones/PS-00002-2019_ORI.pdf
49	Breach of integrity and confidentiality principle	The entity sent an email to 24 people without making use of the blind copy mechanism.	Art. 5.1. f) GDPR, typified in art. 83.5 a) GDPR	THE OLIVER GROUP TORREVIEJA, S.L.	Warning	https://www.aepd.es/resoluciones/PS-00405-2018_ORI.pdf
50	Video surveillance, breach of minimisation principle	Installation of a video surveillance system on his façade without authorization.	Art. 5.1 c) and 6 GDPR, typified in art. 83.5 a) GDPR	Individual	Warning	https://www.aepd.es/resoluciones/PS-00376-2018_ORI.pdf
51	Video surveillance, breach of minimisation principle	Installation of a camera in a dwelling that took disproportionate images of the public road without authorization.	Art. 5.1 c) and 6 GDPR, typified in art. 83.5 a) GDPR	Individual	Warning	https://www.aepd.es/resoluciones/PS-00418-2018_ORI.pdf
52	Lack of information	The web collected personal data from people who accessed and registered on it without been provided with the relevant information.	Art. 13 GDPR, typified in art. 83.5 GDPR	WWW.YELLOWELEPHANT.ES	Warning	https://www.aepd.es/resoluciones/PS-00015-2019_ORI.pdf
53	Video surveillance, breach of minimisation principle, lack of lawfulness	Installation of a video surveillance system in a building, focusing on the public road without any informative sign.	Art. 5.1 c) and 6 GDPR, typified in art. 83.5 a) and b) GDPR	Individual	Warning	https://www.aepd.es/resoluciones/PS-00335-2018_ORI.pdf
54	Financial solvency/creditworthiness files, breach of accuracy principle	Inclusion of the claimant's personal data in a financial solvency/creditworthiness files (ASNEF), regarding a debt that was not certain, due or enforceable.	Art. 5.1 d) GDPR, typified in art. 83.5 a) GDPR	SISTEMAS FINANCIEROS MOVILES SL	Warning	https://www.aepd.es/resoluciones/PS-00330-2018_ORI.pdf
55	Workplace, video surveillance, breach of minimisation principle	Installation of video surveillance system in the hotel premises that obtained images of the staff canteen, toilet door for staff, etc.	Art. 5.1 c) GDPR, typified in art. 83.5 GDPR)	HOTEL ROYAL AL ANDALUS S.A.	Warning	https://www.aepd.es/resoluciones/PS-00346-2018_ORI.pdf
56	Video surveillance, breach of minimisation principle	Installation of a video surveillance system on the façade of the entity focusing the entrance to it, that captured images of people passing through the street and vehicles circulating on the roadway.	Art. 5.1 c) GDPR, typified in art. 83.5 GDPR	SANCHEZ JOYEROS TEMPO 2016, S.L.	Warning	https://www.aepd.es/resoluciones/PS-00348-2018_ORI.pdf
57	Video surveillance, breach of minimisation principle	Installation of a video surveillance system which focused on the complainant's home.	Art. 5.1 c) GDPR, typified in art. 83.5 GDPR	Individual	Warning	https://www.aepd.es/resoluciones/PS-00347-2018_ORI.pdf
58	Video surveillance, breach of minimisation principle	Installation of a panoramic video surveillance camera at the entrance of its facilities, capturing images of people passing through the street.	Art. 5.1 c) GDPR, typified in art. 83.5 GDPR	TODOFUNDICION, S.L.	Warning	https://www.aepd.es/resoluciones/PS-00375-2018_ORI.pdf
59	Video surveillance, breach of minimisation principle, lack of lawfulness	Installation of a video surveillance system on the private property of the claimed but with orientation towards the public street in order to obtain images of her vehicle without having any informative sign.	Art. 5.1 c) and 6.1 GDPR, typified in art. 83.5 a) and b) GDPR	Individual	Warning	https://www.aepd.es/resoluciones/PS-00378-2018_ORI.pdf
60	Breach of data minimisation principle	The complainant applied for the selection process of the Superior Corps of Technicians in Penitentiary Institutions. By typing her name and surname in the Google search engine, there is a reference to BOE where it contains the resolution of admitted and excluded. The resolution contains the claimant's personal data (Name/Surname/ID number/disability degree).	Art. 5.1 c) and 9. 1 GDPR, typified in art. 83.5 a) and b) GDPR	Secretaría General de Instituciones Penitenciarias (Body of Penitentiary Institutions)	Warning	https://www.aepd.es/resoluciones/PS-00361-2018_ORI.pdf
61	Video surveillance, breach of lawfulness principle	Placement of a video camera that focused directly on the entrance of the Headquarters without informing the agents of the placement or its purpose and without any informative sign.	Art. 6.1 c) GDPR, typified in art. 83.5 a) GDPR	Ayuntamiento de Corita del Ebro (Corita del Ebro City Council)	Warning	https://www.aepd.es/resoluciones/PS-00359-2018_ORI.pdf
62	Lack of information	Collection of personal data of users through a web form without being provided with the information required by Article 13 GDPR correctly and completely.	Art. 13 GDPR, typified in art. 83.5 b) GDPR	Individual	Warning	https://www.aepd.es/resoluciones/PS-00377-2018_ORI.pdf
63	Video surveillance, breach of minimisation principle	Installation of two video surveillance cameras on the façade of an establishment facing the street and the entrance to a building.	Art. 5.1.c) GDPR, typified in art. 83.5 a) GDPR	VENDING Y DISTRIBUCIÓN 2017, S.L	Warning	https://www.aepd.es/resoluciones/PS-00353-2018_ORI.pdf
64	Video surveillance, breach of minimisation principle	Installation of a video surveillance system pointing at the public road and without the proper informative sign. In addition, the images were stored indefinitely.	Art. 5.1 c) GDPR, typified in art. 83.5 GDPR	Individual	Warning	https://www.aepd.es/resoluciones/PS-00120-2019_ORI.pdf
65	Video surveillance, breach of minimisation principle	Installation of a video surveillance system both inside and outside a bar, recording external public areas. Inside the bar there was no informative sign, and outside there was a small sign that could not be easily seen.	Art. 5.1 c) GDPR, typified in art. 83.5 GDPR	BAR TARIQUEJO	Warning	https://www.aepd.es/resoluciones/PS-00117-2019_ORI.pdf
66	Lack of information	The company processed personal data without providing the data subjects with the information required by data protection regulations.	Art. 13 GDPR, typified in art. 83.5 GDPR	CHAPAUTO SPORT, S.L.	Warning	https://www.aepd.es/resoluciones/PS-00408-2018_ORI.pdf
67	Breach of integrity and confidentiality principle, public administration	Processing of personal information of citizens who went to the Department of Social Services of the City Council in offices shared by several professionals.	Arts. 5.1.f) and art. 32.1.b) GDPR, typified in art. 83.4 a) GDPR	AYUNTAMIENTO DE PARLA (Parla City Council)	Warning	https://www.aepd.es/resoluciones/PS-00365-2018_ORI.pdf
68	Breach of security of processing	Defective configuration of an email account dedicated to internal management of the store. The emails that were sent from that account were visible on the devices exposed in the store.	Art. 32 GDPR, typified in art. 83.4 a) GDPR	BALMORE ATLANTIC, S.L.	Warning	https://www.aepd.es/resoluciones/PS-00431-2018_ORI.pdf
69	Communication for marketing purposes, withdrawing of consent	The complainant continued to receive communications for marketing purposes of Vodafone via SMS despite having expressed his wish not to receive them.	Art. 21.1 E-commerce Act, typified in art. 38.4.d)	VODAFONE ESPAÑA, S.A.U.	Initial proposed fine: 10.000€ Final fine: 6.000€ due to responsibility recognition and prompt payment.	https://www.aepd.es/resoluciones/PS-00189-2019_ORI.pdf
70	Communication for marketing purposes, lack of lawfulness (consent)	The complainant received communications for marketing purposes from the Company without having had any commercial relationship in the past.	Art. 21.1 E-commerce Act, typified in art. 38.4.d)	MAPEX AGENCIA CONSULTING, S.L.	1.000€	https://www.aepd.es/resoluciones/PS-00169-2019_ORI.pdf

Volver

Further information:

Norman Heckh
nheckh@ramoncajal.com

María Luisa González
mlgonzalez@ramoncajal.com

Madrid

Almagro, 16-18
Madrid 28010
T: (+34) 91 576 19 00

Barcelona

Avenida Diagonal 615, 8ª planta.
08028
T (+34) 93 494 74 82

1. The AEPD fines the Professional Football League 250,000 Euros

2. The ICO has imposed the highest penalties so far

3. The CNIL imposes a 50 million fine on Google

4. Other EU supervisory authorities have also imposed sanctions for security breaches (Art. 32 GDPR)

5. The Belgian Data Protection Authority has fined a merchant for non-compliance with the RGPD

6. A Big Four is fined for non-compliance with the provisions of the GDPR

7. In Spain, telecommunications, energy and debt collection companies remain among those receiving the highest fines

8. Other recent EU fines

9. Table of sanctions imposed by the AEPD

Further information:

Norman Heckh nheckh@ramoncajal.com

María Luisa González mlgonzalez@ramoncajal.com

Madrid

Barcelona

1. The AEPD fines the Professional Football League 250,000 Euros

2. The ICO has imposed the highest penalties so far

3. The CNIL imposes a 50 million fine on Google

4. Other EU supervisory authorities have also imposed sanctions for security breaches (Art. 32 GDPR)

5. The Belgian Data Protection Authority has fined a merchant for non-compliance with the RGPD

6. A Big Four is fined for non-compliance with the provisions of the GDPR

7. In Spain, telecommunications, energy and debt collection companies remain among those receiving the highest fines

8. Other recent EU fines

9. Table of sanctions imposed by the AEPD

Further information:

Norman Heckh nheckh@ramoncajal.com

María Luisa González mlgonzalez@ramoncajal.com

Madrid

Barcelona

Norman Heckh
nheckh@ramoncajal.com

María Luisa González
mlgonzalez@ramoncajal.com

Norman Heckh
nheckh@ramoncajal.com

María Luisa González
mlgonzalez@ramoncajal.com