Pasar al contenido principal
Inicio
  • Valores
  • Ética y buen gobierno
  • Expertos
  • Áreas / sectores
    • Administrativo y sectores regulados
      Agroalimentario
      Arbitraje
      Arte y Patrimonio Cultural
      Competencia
      Contratación comercial
      Economía circular
      Energía
      Financiación de proyectos
      Financiero y Bancario
      Fiscal
      Fusiones y adquisiciones
      Infraestucturas
      Inmobiliario
      Juego
      Laboral
      Litigación civil derivada de conductas anticompetitivas
      Mercado de Capitales
      Procesal Civil
      Procesal Penal
      Reestructuraciones e insolvencias
      Regulación financiera e inversiones alternativas
      Salud
      Societario y Gobierno Corporativo
      Tecnologías de la Información
      Urbanismo y medioambiente
  • Internacional
  • Talento
  • Actualidad
    • Noticias
    • Eventos
    • Newsletter
    • Sala de Prensa
  • Blogs
    • Blog Competencia y Agroalimentario
    • Blog Ramón y Cajal Digital
  • Contactar
  • linkedin
  • twitter
  • search
  • Aviso Legal
  • Política de Cookies
  • Política de Privacidad
  • Canal de Denuncias
  • Política de seguridad de la información
English
#SomosRyC
Fines imposed since the entry in force of the GDPR
09 de Octubre de 2019

After the first year of application of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation “GDPR”), most supervisory authorities have already imposed sanctions for non-compliance with the GDPR.

Ramón y Cajal Abogados provides here with a summary of the most relevant sanctions imposed in the last months by the European Data Protection Authorities.

We start with an exhaustive analysis on the highest sanction imposed so far by the Spanish Data Protection Agency (250.000 € to the Professional Football League based already on the GDPR), which is completed with the summary table of sanctions imposed by this supervisory authority since May 2018 that appears as an annex to this newsletter.

In addition, we include references to different proceedings opened by other European authorities, without forgetting the recent sanction imposed by the Belgian authority that analyses the conditions for collecting consent for the processing of data in the process of obtaining a loyalty card.

 

Index

1. The AEPD fines the Professional Football League 250,000 Euros

2. The ICO has imposed the highest penalties so far

3. The CNIL imposes a 50 million fine on Google

4. Other EU supervisory authorities have also imposed sanctions for security breaches (Art. 32 GDPR)

5. The Belgian Data Protection Authority has fined a merchant for non-compliance with the RGPD

6. A Big Four is fined for non-compliance with the provisions of the GDPR

7. In Spain, telecommunications, energy and debt collection companies remain among those receiving the highest fines

8. Other recent EU fines

9. Table of sanctions imposed by the AEPD


 

1.The AEPD fines the Professional Football League 250,000 Euros

The resolution establishes the highest fine to date in the application of the GDPR. The procedure was initiated following the appearance in the press and media of news about a new feature in the app for mobile devices of the Professional Football League ("LFP", in its Spanish acronym), which could, indiscriminately, capture ambient sounds of the place where the user is, generating some social alarm. The facts were also reported by the association FACUA to the supervisory authority. It should be noted that no data subject or user of the application complained to the AEPD.

The main purpose of the app was to inform the user in real time of news related to their favorite team/s, including alerts of goals, results, etc. In order to detect frauds related to the broadcasting of football matches in public establishments that do not hold the corresponding permits and which, according to the LFP, represent an estimated loss of 150 million Euros for Spanish football system; the app requested the user's authorization to activate the microphone of their device and collect sounds from the place where it was located, as well as information regarding the geolocation of the user.

During the proceedings, LFP mainly made the following allegations:

(i) Users are informed of the functionality through the General Terms of Use and the Privacy Policy that are displayed when installing the app, and they must expressly authorize the treatment through a box unchecked by default.

(ii) Given that the exclusive purpose of this treatment is the detection of fraud, the controversial functionality will be enabled only in users of Android 6 or higher, with a maximum of 50,000 at a national level (out of a total of 10,000,000 users of the application). Outside Spain this functionality is disabled, and within that territory is only activated during the fringes in which the matches take place.

(iii) The app treats the captured sound to convert it into a binary hash; once this acoustic footprint has been generated, the original audio is dismissed and cannot be accessed by the operating system and/or other applications. The process is irreversible and takes place on the user's device before the resulting information is sent to the external company that is in charge of contrasting these fingerprints against those provided by the LFP.

(iv) Consequently, the LFP considers that there is no processing of personal data at this stage of the process, either in terms of the audio that is accessed through the microphone, or in terms of the information relating to the IP address and the identifier that is sent to the servers of the external collaborator (as IP addresses are processed for the sole purpose of establishing the interconnection between the server and the mobile devices).

(v) In the case of the location data concerned, it is transformed into heat maps to identify the most fraudulent territories.

(vi) Prior to the development of the new functionality, the LFP took a number of accountability measures: it requested two legal reports from law firms, held internal privacy by design meetings onwards, and an analysis of the need for a Privacy Impact Assessment and Risks Assessment.

(vii) Users can revoke their consent at any time in the mobile device settings.

The AEPD, however, understands that the LFP carries out a processing of personal data. As to the sound, establishes that"(...) in the first stage of the process, it can be stated that, if the collection takes place during a conversation where personal data is involved, we are faced with the collection of personal data and, therefore, with the processing of personal data. (...) the process of conversion into a fingerprint constitutes in itself one of the phases of the entire processing, which begins to take place from the collection of the information, independently of the subsequent processing, and finally the sending or communication for comparison (...)".

With regard to the IP addresses that the LFP also collects, the AEPD considers that "it is admitted that this was the IP address of the user's device, but it does not indicate the specific moment when it ceased to be used". On the other hand, in accordance with the privacy policy of the LFP available until 26 March 2019, this controller stated that it would process "(...) IP address, operating system, browser ID, browsing activity and other information about how they interact with our LaLiga Environment". In addition, the AEPD inspection deparment revealed that the information transmitted to the external collaborator for comparison included "the fingerprint resulting from the conversion of the audio, the IP address of the device, a specific Identifier that assigns the application to the user and the user agent (...)".

The main reproach, however, is the lack of transparency towards the user of the application. Although he gives his consent for the treatment of the information accessed through the microphone, the fact “that, at a later moment, the processing of the captured audio takes place, and that it is done in one way or another, depends solely on the will of [the LFP], because as is deduced from the report itself that is provided, the computer environment is easily modifiable by changing the programming with the determination of some values or others".

In the opinion of the AEPD, these broad configuration capabilities of the LFP, together with the lapse between the acceptance of the described functionalities and the moment in which the treatment actually takes place, "makes it necessary to adapt the principle of transparency to this type of treatment, and it is essential to inform with certainty and transparency about the time when the treatment will take place -both when the application is installed and during the collection of information-". This is especially the case for more intrusive treatments such as sound pickup through the microphone, or geolocation.

Article 83 GDPR classifies the infringement of the right to transparency as very serious, so that it entails fines up to EUR 20,000,000, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

In quantifying the penalty, the AEPD accepted only one of the mitigating circumstances invoked by the LFP, relating to the display of an icon each time the device activated geolocation. In contrast, a number of aggravating circumstances were found, such as:

(i) the nature of the infringement (the infringement of an essential informing principle in the processing of personal data is of a special significance);

(ii) the seriousness of the infringement (given the persistence over time, more users could be affected within the limit of 50,000 simultaneous users configured by the LFP);

(iii) the number of affected (since the LFP had the capacity to implement the functionality in the devices of any user who had granted the permits);

(iv) the intentionality of the infringement and the degree of accountability of the LFP (which apparently did not follow all the recommendations of the legal reports requested. That request in itself does not imply compliance with the applicable rules);

(v) although the LFP does not have as its main business purpose the processing of personal data, it does "protect its financial assets from fraud (...) through invasive privacy techniques (...) without the certainty of the effectiveness of such system"; and

(vi) the persistence in the action of the LFP, "which eliminates the only extenuating circumstance observed in the initial agreement, to turn it into a highly qualified aggravating circumstance".

The joint evaluation of all the circumstances described resulted in a increase from the EUR 50,000 of the proposed resolution to the EUR 250,000 finally imposed. This amount represents around 1% of the total worldwide annual turnover of the preceding financial year.

Volver

2.- The ICO has imposed the highest penalties so far

The fine imposed on the LFP does not, however, match the amounts of the sanctions imposed by other control authorities. In line with the first relevant sanction under the new regulatory framework, i.e. the fine of 50 million euros imposed by the National Commission of Informatics and Liberty ("CNIL"), the French supervisory authority, on Google, the Information Commissioner´s Office ("ICO"), the UK supervisory authority, has issued two million-dollar motions for resolutions, both following significant security breaches.

Both proceedings are pending final allegations and resolution, but they are a clear indication of the increase in potential sanctions under the GDPR (especially when the competent enforcement authority calculates the amounts of fines over the overall total annual turnover of the sanctioned company).

 The first case concerns British Airways, which suffered an attack involving the redirection of traffic to a fraudulent website where the attackers harvested data from nearly 500,000 customers. The categories affected include access credentials, credit cards, reservation data, and other identification data (although the company initially stated that data had been affected for some 380,000 transactions that did not include passport or travel data). During the investigation serious deficiencies were detected in the security measures implemented by British Airways, so that the proposed sanction slightly exceeds 200 million euros, equivalent to 1.5% of global turnover during the previous year (2017).

The second procedure brings about the security incident suffered by the Marriott hotel chain notified in November 2018, and by which the data of nearly 339 million customers worldwide were exposed. The vulnerability is believed to originate from a hotel group acquired by Marriott in 2016 (Starwood), which could have been compromised since 2014. The eventual sanction would be imposed on Marriott for a lack of diligence in both Starwood's pre-purchase examination and in implementing its own security measures. The ICO's proposal includes an economic penalty of just over 100 million euros, which represents around 3% of global turnover in 2018.

Volver

3.- The CNIL imposes a 50 million fine on Google

On January the French supervising authority imposed what was at the time the highest fine within the EU under the GDPR. According to the CNIL, Google had failed to comply with its transparency obligations, as well as to obtain data subjects’ consent pursuant to art. 4 GDPR.

The complaint was initially brought by two organisations from Austria (None of Your Business) and France (“La Quadrature du Net”), concerned about the Google account creation process when setting up an Android smartphone. According to the claimants, Google had failed to (i) provide sufficient information, in a clear and plain language, of the purposes of the processing, as well as (ii) obtain user’s consent to process their data for personalized marketing purposes.

In its ruling, the CNIL considers that the information provided by Google was not easily accessible: it was spread among several documents, each of which contained multiple links to additional information and requiring up to 5 or 6 user clicks to be accessed. Furthermore, the description of the data categories subject to processing and the purposes thereof were too vague. When obtaining consent, Google allowed users to modify a limited set of options and the displayed boxes were checked by default.

The CNIL also found that Google had not provided clear information on (i) the legal basis supporting its processing activities and (ii) the criteria that would allow users to determine retention periods on certain type of data.

The French supervising authority took into consideration several aggravating circumstances when imposing the fine, such as the fact that GDPR violations (i) concerned its essential principles and (ii) are still occurring. Additionally, Android OS has a significant presence in the French market and the privacy policies presented to users rule a variety of services provided by Google to all account holders.

Volver

4.- Other EU supervisory authorities have also imposed sanctions for security breaches (Art. 32 GDPR

The inadequacy of security measures implemented by controllers has also been subject to sanctions in other Member States. In Romania, for example, 15,000 euros  have been imposed on the World Trade Center Bucharest hotel for keeping a list unattended in order to verify which guests ate breakfast.

Additionally, in France and Lithuania SERGIC and YSC Mistertango have been sanctioned with 400.000€ and 61.500€, respectively, for hosting personal data on their servers without implementing adequate security measures to prevent the information from being freely available on the Internet. The appreciable disparity between the amounts is due to the fact that in both cases there were other breaches of regulations and circumstances of different gravity.

Also in France, the French Data Protection Authority issued a 180.000 € fine against insurer Active Assurances on the basis that the company had “breached its obligation to secure personal data provided for by Article 32" of the GDPR. The fact dates for the year 2018, when an Active Assurance customer claimed that he was able to access personal data of other customers (among them, driver’s licenses, registration cards or bank identification records) only changing the numbers at the end of the URL in the browser.

The CNIL informed the company which stated that measures to rectify the cited infringements have been implemented. However, on an on-site inspection, CNIL found that the measures taken were not sufficient. According to the CNIL, Active Assurances should have instructed the customers to use strong passwords and it should not have sent them the passwords in plain text by e-mail.

Volver

5. The Belgian Data Protection Authority has fined a merchant for non-compliance with the RGPD

The Belgian data protection authority imposed a fine of 10,000 € on a merchant for the disproportionate use of the electronical identity card for the purpose of creating a loyalty card. The complainant refused to provide him with such document so the benefit of the card was denied to him, even when he offered to provide the merchant with his personal data.

In particular, the authority has considered that: (I) the principle of data minimization was infringed (the merchant needed data such as name, surname, address, etc., but he also wanted to have access to the photo and the barcode linked to the national registration number), (II) and the consent given could not be considered as freely given because no alternative was offered to the customers: if they refused to allow the use of their electronic identity card, they could not enjoy advantages and discounts.

Volver

6.- A Big Four is fined for non-compliance with the provisions of the GDPR

The Hellenic Data Protection Authority has imposed its first sanction for non-compliance with the General Data Protection Regulation (“GDPR”) on PriceWaterhouseCoopers (“PWC”) which amounts to 150.000€.

PWC processed employee’s personal data violating the principles of accountability, lawfulness, fairness and transparency.

PWC made the false impression on employees that their personal data were being processed in accordance with the legal basis of consent, while in fact they were processing it with another legal basis, about which employees were never informed, in breach of the principle of transparency included in Article 5 GDPR and consequently, in breach of the obligation to provide information pursuant to Articles 13 and 14 GDPR.

For this reason, the Greek Authority has decided to impose a fine of 150.000€ on PWC in accordance with Article 83 GDPR and has also decided to give the company a period of three months in which to correctly adapt the processing operations of its employees' personal data, as well as to ensure the correct application of the principles infringed, evidencing their compliance.

This sanction is the first fine for breach of the GDPR to one of the Big Four.

For more information click on the following link.

Volver

7.- In Spain, telecommunications, energy and debt collection companies remain among those receiving the highest fines

Returning to Spain, the rest of the fines imposed by the AEPD involve smaller amounts, similar to those that would have been imposed under the previous regulatory framework. In this sense, the sanctions for errors of the controller for which receipts or invoices are demanded from the wrong data subject stand out due to their frequency.

Endesa Energía XXI has been sanctioned for an error in the modification of the data of a contract and, by acknowledging its responsibility and voluntarily paying the sanction, reduced the amount of the sanction by 40%, which was finally 60,000 euros. In most of the proceedings for this type of error, the entity sanctioned is Vodafone, which used the same mechanisms to end up paying 28.000 euros, 36,000 euros  and 36,000 euros, respectively.

On the other hand, the AEPD continues to sanction, under the protection of the GDPR, non-compliance related to the processing of debtor data, whether it be the inclusion of data subject in common files of debtors (60,000 euros to Yoigo), or for exceeding the limits in the processing of data and claiming payment through means and addresses not provided by the data subject to the creditor collected from the Internet (60.000 a Gestión de Cobros, Yo Cobro).

Volver

8.- Other recent EU fines

· In France, Uniontrad Company has been fined EUR 20,000 for failing to comply with the requirements on the use of video surveillance systems. The sanctioned entity ignored the warnings of the CNIL regarding the limitation of the time during which employees were recorded and the provision of adequate information of the processing.

· In Denmark, IDdesign (a furniture manufacturer) has been fined EUR 200,000 for failing to comply with the principle of storage limitation and for over-processing data from around 385,000 customers.

· In Romania the supervisory authority has sanctioned Unicredit Bank with EUR 130,000 for a violation of the principles of privacy by design and by default, since its customers could access the ID and address of those payers who made the transaction with accounts of other entities.

· In Hungary, a festival organiser has been fined EUR 92,000 for failing to comply with the principles of purpose limitation and storage limitation. The sanctioned entity defended its legitimate interest in ensuring the safety of the attendees (in particular, against terrorist attacks) but the supervisory authority considered that the processing activities deployed to identify the interested parties were disproportionate.

· In Belgium, the use of e-mail addresses to which a mayor had access in the exercise of his functions for electoral purposes has been sanctioned with EUR 2,000.

· In Germany, a police officer has been fined EUR 1,400 for misusing the data of a data subject without duly justifying the link between his enquiries and the exercise of his duties.

Volver

9.- Table of sanctions imposed by the AEPD

Ramón y Cajal Abogados has analyzed the different fines and warnings imposed by the AEPD since the application of the GDPR. You can find the analysis below: 

Nº

Keywords

Facts

Section of GDPR infringed

Company /individual

Penalty

Link

1

Apps, breach of transparency principle

 

The accused entity collected, through a mobile app, information of geolocation and microphones from users' mobile phones. The objective was to detect fraud in the consumption of televised football in unauthorized locations.

 

The AEPD understands that the access to the microphone and location data is opaque and that the app should warn the user each time the controversial feature is activated.

 

The LFP argues that it obtained the informed consent of the users and has announced that it will appeal the decision to the competent court (“Audiencia Nacional”).

 

Art. 5.1.a) GDPR, typified in art. 83.5 a) GDPR

Liga Nacional de Fútbol Profesional (LFP)

250.000€

https://www.aepd.es/resoluciones/PS-00326-2018_ORI.pdf

2

Energy, breach of integrity and confidentiality principle

ENDESA disclosed a third party's personal data by charging the claimant's bank account with a gas receipt that did not correspond to her, but to the third party.

Art. 5.1.f) GDPR, typified in art. 83.5 a) GDPR

ENDESA ENERGÍA XXI, S.L.U.

 

Initial proposed fine: 100.000€

Final fine: 60.000€ due to responsibility recognition and prompt payment.

 

https://www.aepd.es/resoluciones/PS-00074-2019_ORI.pdf

3

 

Financial solvency/ Creditworthiness Files, breach of accuracy principle

 

Due to an error in the entry of the telephone number, the claimant received calls from XFERA MÓVILES, S.A. requiring a debt of which it was not the owner and warning it that it would be recorded in a creditworthiness file.

 

 

Art. 5 GDPR, typified in art. 83.5 GDPR

 

XFERA MÓVILES, S.A. (YOIGO)

65.000€

https://www.aepd.es/resoluciones/PS-00094-2019_ORI.pdf

4

Financial solvency/ creditworthiness files, lack of lawfulness

 

AVON issued invoices with the personal data of the claimant and these were included in a financial solvency/creditworthiness files. AVON could not prove its lawfulness for the processing of such data, since the contract that would serve as a basis was not signed and its formalization was denied by the data subject.

 

 

Art. 6 GDPR, typified in art. 83.5 GDPR

 

AVON COSMETICS S.A.U

60.000€

 

https://www.aepd.es/resoluciones/PS-00159-2019_ORI.pdf

5

Financial solvency/

creditworthiness files, breach of  accuracy principle

 

The company included the claimant's personal data in a creditworthiness file (BADEXCUG) although the claimant had already settled its debt.

 

Art. 5.1 d) GDPR, typified in art. 83.5 GDPR

XFERA MÓVILES, S.A. (YOIGO)

60.000€

https://www.aepd.es/resoluciones/PS-00011-2019_ORI.pdf

6

Debts’ recovery, breach of integrity and confidentiality principle

 

The entity (dedicated to collecting debts) sent emails to the email addresses that the claimant provided when contracting the credit, but also to the institutional email address of her workplace, which could be accessed by other people besides her.

 

Art. 5.1.f) GDPR, typified in art. 83.2 GDPR

GESTIÓN DE COBROS, YO COBRO, S.L.

60.000€

https://www.aepd.es/resoluciones/PS-00121-2019_ORI.pdf

7

Telecommunications, lack of lawfulness (consent)

 

Processing of the claimant's ID number without his consent, because it was associated with another client. In addition, he could access the profile of that third client without authorization and due to VODAFONE’s negligence.

 

Art.6.1.a) GDPR, typified in art. 83.5 a) GDPR

VODAFONE ESPAÑA, S.A.U.

 

Initial proposed fine: 60.000€

Final fine: 36.000€ due to responsibility recognition and prompt payment.

 

https://www.aepd.es/resoluciones/PS-00056-2019_ORI.pdf

8

Breach of security of processing

 

The claimant, when accessing the company's customer area through her mother's username and password, was presented with the data of a third party without the latter's consent.

 

 

Art. 32 GDPR, typified in art. 83. 4 a) GDPR

 

 

VODAFONE ONO, S.A.U

 

Initial proposed fine: 60.000€

Final fine: 48.000€ due to prompt payment.

 

https://www.aepd.es/resoluciones/PS-00212-2019_ORI.pdf

9

Telecommunications, breach of integrity and confidentiality principle

VODAFONE ONO sent an email to a large number of clients without making use of the blind copy mechanism.

 

Art. 5.1.f) GDPR, typified in art. 83.5 a) GDPR

VODAFONE ONO, S.A.U.

 

Initial proposed fine: 60.000€

Final fine: 36.000€ due to responsibility recognition and prompt payment.

 

 

https://www.aepd.es/resoluciones/PS-00092-2019_ORI.pdf

10

 

Telecommunications, breach of integrity and confidentiality principle

 

VODAFONE did not respect the precautionary period between the cancellation of a user of a telephone number and the assignment of the same number to a new user. Therefore, in the "My Vodafone" application, the personal data of the old client continued to appear despite the fact that the telephone number corresponds to a new user.

 

 

Art. 5.1.f)  GDPR, typified in art. 83.5 a)  GDPR

 

VODAFONE ESPAÑA S.A.U.

 

Initial proposed fine: 60.000€

Final fine: 36.000€ due to responsibility recognition and prompt payment.

 

 

https://www.aepd.es/resoluciones/PS-00215-2019_ORI.pdf

11

Breach of lawfulness, fairness and transparency principle

 

TELEFONICA charged the claimant's bank account with two invoices for the services he had contracted, showing the personal details and address of another client. The entity has not rectified the error yet.

Art. 5.1.a) GDPR, typified in art. 83.2 GDPR

TELEFONICA MOVILES ESPAÑA, S.A.U.

 

Initial proposed fine: 60.000€

Final fine: 48.000€ due to responsibility recognition and prompt payment.

 

https://www.aepd.es/resoluciones/PS-00173-2019_ORI.pdf

12

Breach of integrity and confidentiality principle

VODAFONE disclosed the claimant's personal data to a third party via an SMS containing a link to the claimant's "Purchase Summary" where her data could be accessed.

Art. 5.1.f) GDPR, typified in art. 83.5 a) GDPR

VODAFONE ESPAÑA, S.A.U.

 

Initial proposed fine: 48.000€

Final fine: 30.000€ due to responsibility recognition and prompt payment.

 

https://www.aepd.es/resoluciones/PS-00205-2019_ORI.pdf

13

 

Telecommunications, breach of accuracy principle

 

The complainant received more than 200 SMS because VODAFONE associated his phone number with other customers and used it, by mistake, to test the sending of messages and check the quality of the online store.

 

Art. 5.1.d) GDPR, typified in art. 83.5 GDPR

VODAFONE ESPAÑA, S.A.U.

 

Initial proposed fine: 45.000€

Final fine: 27.000€ due to responsibility recognition and prompt payment.

 

 

https://www.aepd.es/resoluciones/PS-00411-2018_ORI.pdf

14

 

Telecommunications, lack of lawfulness (consent)

 

 

The entity charged the claimant for a Netflix service that it had not contracted. VODAFONE was not able to prove that the affected party had given its consent, nor conducted the minimum diligence required to verify the identity of the signatory.

 

 

Art. 6.1 GDPR, typified in art. 83.5 GDPR

 

VODAFONE ESPAÑA, S.A.U.

40.000€

 

https://www.aepd.es/resoluciones/PS-00064-2019_ORI.pdf

15

Telecommunications, lack of lawfulness

VODAFONE invoiced a mobile phone user, who was not any longer customer of such entity.

Art. 6.1 GDPR, typified in art. 83.5 GDPR

VODAFONE ESPAÑA, S.A.U.

 

Initial proposed fine: 35.000€

Final fine: 21.000€ due to responsibility recognition and prompt payment.

 

https://www.aepd.es/resoluciones/PS-00087-2019_ORI.pdf

16

Video surveillance, breach of minimisation principle

 

Installation of video surveillance system inside a building without an informative sign.

 

The employees had not been informed about their data protection rights. The establishment did not have a form available for clients to exercise their rights.

 

Art. 5.1 c) GDPR, typified in art. 83.5 GDPR

Individual

20.000€

https://www.aepd.es/resoluciones/PS-00150-2019_ORI.pdf

17

Breach of lawfulness, fairness and transparency principle

 

The claimant was recorded at his workplace using another employee's mobile phone and without his consent.

 

These recordings were provided as evidence to justify the disciplinary sanction imposed on him.

 

Art. 5.1 a) GDPR, typified in art. 83.5 GDPR

SANTI 3000, S.L. (RESTAURANTE LA OLIVA)

 

Initial proposed fine: 12.000€

Final fine: 9.600€ due to prompt payment.

 

 

https://www.aepd.es/resoluciones/PS-00401-2018_ORI.pdf

 

18

 

Video surveillance, breach of minimisation principle

 

After an inspection by the Local Police, they found an image-recording device in the corridor area of a building in order to control the workers inside the residence. In addition, there was no informative sign.

 

 

Art. 5.1.c)  GDPR, typified in art. 83.5 a)  GDPR

 

 

Individual

 

9.000€

 

https://www.aepd.es/resoluciones/PS-00050-2019_ORI.pdf

19

 

 

Video surveillance, breach of minimisation principle

 

 

 

Installation of a video surveillance system consisting of a series of security cameras oriented to the public road without just cause.

 

Art. 5.1.c) GDPR, typified in art. 83.5 a) GDPR

 

AMADOR RECREATIVOS, S.L. (Playroom TIKI TAKA)

 

 

Initial proposed fine: 6.000€

Final fine: 3.600€ due to responsibility recognition and prompt payment.

 

 

https://www.aepd.es/resoluciones/PS-00135-2019_ORI.pdf

20

 

Telecommunications, financial solvency/creditworthiness files, breach of accuracy principle

 

VODAFONE included the claimant's data in a financial solvency/creditworthiness files, despite the existence of a complaint previously filed by the data subject to the Telecommunications Authority ("Secretaría de Estado para el Avance Digital - SEAD") for discrepancies in the application of a call voucher signed with the operator. Such claim had been confirmed by SEAD.

 

Art.  5.1.d) GDPR, typified in art. 83.5 GDPR

VODAFONE ESPAÑA S.A.U.

5.000€

https://www.aepd.es/resoluciones/PS-00331-2018_ORI.pdf

21

No purpose limitation, breach of integrity and confidentiality principle

The claimant filled out a form with his personal data to request information about an offer, and was added to a WhatsApp group without his consent.

Art.5.1.b) and f) GDPR, typified in art. 83.5 a) GDPR

 

 

DESSAU ARTE INMOBILIARIO, S.L. (CENTURY 21 ARQUITECTURA)

 

Warning

https://www.aepd.es/resoluciones/PS-00195-2019_ORI.pdf

22

Video surveillance, breach of minimisation principle

 

Installation of a recording device that expressly directed the claimant's workplace in a disproportionate manner, affecting the claimant´s privacy.

 

Art.5.1.c) GDPR, typified in art. 83.5 a) GDPR

ELECTROMECANICA REYES, S.L

Warning

 

https://www.aepd.es/resoluciones/PS-00123-2019_ORI.pdf

23

 

Video surveillance, breach of minimisation principle

 

Installation of a video surveillance system that disproportionately captured images of public space.

Art. 5 GDPR, typified in art. 83.5 GDPR

METROPOLITAN SPAIN, SL

(Gym)

Warning

https://www.aepd.es/resoluciones/PS-00341-2018_ORI.pdf

24

Breach of integrity and confidentiality principle

 

An information note showing a neighbour's debts was published in a place of the Community accessible by neighbours and third parties.

 

Art. 5.1.f) GDPR, typified in art. 83.5 GDPR

Community of neighbours

Warning

https://www.aepd.es/resoluciones/PS-00084-2019_ORI.pdf

25

Communication of personal data, lack of lawfulness (consent)

 

The owners of a workshop communicated the claimant's details to the third party without his consent, regarding some irregularities of an invoice. The third party contacted him to “resolve the situation” by means of coercion.  

 

Art. 6.1.a) GDPR, typified in art. 83.5 a) GDPR

Individual

Warning

https://www.aepd.es/resoluciones/PS-00105-2019_ORI.pdf

26

Video surveillance, lack of information

 

Installation of a video surveillance system in a vehicle workshop without having the informative sign that notifies the data subjects that there is a processing of personal data.

 

Art. 13 GDPR, typified in art. 83.5 b) GDPR

FORMAUTO ALVAREZ FERNANDEZ, S.L.

Warning

https://www.aepd.es/resoluciones/PS-00136-2019_ORI.pdf

27

Telecommunications lack of lawfulness

 

The company assigned the claimant a payment for a telephone line to the claimant without his consent. Some personal data concerning the claimant in the entity's database did not belong to him, but to an unknown third party.

 

Art. 6.1 GDPR, typified in art. 83.5 a) GDPR

VODAFONE ESPAÑA, S.A.U.

Warning

https://www.aepd.es/resoluciones/PS-00086-2019_ORI.pdf

28

Communication for marketing purposes, lack of lawfulness (consent)

 

The company used the complainant's email address to send her newsletters when she had already withdrawn her consent and the company confirmed that the unsubscription had been completed.

 

Art.6.1.a) GDPR, typified in art. 83.5 a) GDPR

ANIMA NATURALIS

Warning

https://www.aepd.es/resoluciones/PS-00400-2018_ORI.pdf

29

Lack of information

 

The website portaenrere.cat did not offer any information on privacy policy, legal notice, or the way in which it carried out the processing of personal data of people who subscribed to it.

Art. 13 GDPR, typified in art. 83.5 b) GDPR

Individual

Warning

https://www.aepd.es/resoluciones/PS-00100-2019_ORI.pdf

30

Video surveillance, breach of minimisation principle

 

The claimed installed a video surveillance system on the balcony of his home in order with security purposes, which captured images of the public road disproportionately and unnecessarily in relation to the purpose.

 

 

Art. 5.1.c) GDPR, typified in art. 83.5 a) GDPR

Individual

Warning

https://www.aepd.es/resoluciones/PS-00416-2018_ORI.pdf

31

Video surveillance, breach of minimisation principle

 

The claimed installed a video surveillance system in their dwelling that could capture images of the public road and the neighbouring dwelling.

 

Art. 5.1.c) GDPR, typified in art. 83.5 a) GDPR

Individuals

Warning

https://www.aepd.es/resoluciones/PS-00349-2018_ORI.pdf

32

Lack of information

 

The claimed collected personal data from users to send them confirmation of the products selected in the shopping cart and to contact them in case of incidents, without providing the information required by the GDPR. 

 

Art. 13 GDPR, typified in art. 83.5 b) GDPR

LIVING TERRITORIWEB, S.L.

Warning

https://www.aepd.es/resoluciones/PS-00419-2018_ORI.pdf

33

 

Video surveillance, breach of minimisation principle

 

 

Installation of cameras that obtained images of a traffic area for vehicles on a public road.

 

Art. 5.1.c) GDPR, typified in art. 83.5 a) GDPR

DUNNES STORES ANDALUCIA S.A

Warning

https://www.aepd.es/resoluciones/PS-00130-2019_ORI.pdf

34

Video surveillance, out-of-date information

 

Installation of a video surveillance system that recorded images on a continuous basis. There was an informative sign with a link to the page of the company that carried out the installation on it; but the website did not include the information required by the GDPR.

 

Arts. 12.1 and 13 GDPR, typified in art. 83.5 b) GDPR

KIOROMAR, S.L.

Warning

https://www.aepd.es/resoluciones/PS-00352-2018_ORI.pdf

35

 

Video surveillance, breach of minimisation principle

 

Installation of a video surveillance system to obtain images of the public road due to a "bad relationship" between the claimed and his neighbour, which does not justify the recording of the public road, which also affects third parties.

 

Art. 5.1 c) GDPR, typified in art. 83.5 a) GDPR

 

Individual

 

Warning

 

https://www.aepd.es/resoluciones/PS-00077-2019_ORI.pdf

36

Minors, lack of lawfulness (consent)

The association photographed the claimant's children to commercialize calendars without asking for the specific consent of their parents.

Arts. 6.1 a) and 8 GDPR, typified in art. 83 GDPR

 

ASOCIACIÓN DE MADRES Y PADRES DEL COLEGIO MARÍA BLANCHARD

(Parents’ association of a school)

Warning

https://www.aepd.es/resoluciones/PS-00089-2019_ORI.pdf

37

Public entity, breach of integrity and confidentiality principle

 

The fined entity exposed in its notice board (located in the public road) a list of fourteen people with their corresponding ID numbers and signatures without their consent.

 

Art. 5.1.f) GDPR, typified in art. 83.5 a) GDPR

CONCEJO DE GARISOAIN

(Public regional administration)

Warning

https://www.aepd.es/resoluciones/PS-00066-2019_ORI.pdf

38

Video surveillance, breach of minimisation principle

 

Installation of a video surveillance system that recorded images of the holder’s porch and the public street, but the only purpose was receiving images of the private surroundings.

 

Art. 5.1.c) and 6 GDPR, typified in art. 83.5 a) GDPR

Individual

Warning

https://www.aepd.es/resoluciones/PS-00003-2019_ORI.pdf

39

Video surveillance, breach of minimisation principle

 

Installation of a video surveillance system, with one of the cameras focusing disproportionately on the dwelling that borders the one of the defendant, without the appropriate informative sign. 

 

Art. 5.1.c) GDPR, typified in art. 83.5 a) GDPR

Individual

Warning

https://www.aepd.es/resoluciones/PS-00090-2019_ORI.pdf

40

Video surveillance, breach of minimisation principle

 

Installation of a video surveillance system that recorded images both from the public street and the establishment’s terrace.

 

Art. 5.1.c) GDPR, typified in art. 83.5 a) GDPR

GURMELIA S.C. (TAPERÍA ALBEDRÍO)

Warning

https://www.aepd.es/resoluciones/PS-00354-2018_ORI.pdf

41

 

Video surveillance, breach of minimisation principle, lack of lawfulness

 

 

Installation of a video surveillance system outside of the owner’s dwelling, focusing on the balconies of the adjoining dwellings and the public street.

 

Art. 5.1 c) and 6 GDPR, typified in art. 83.5 a) GDPR

Individual

Warning

https://www.aepd.es/resoluciones/PS-00010-2019_ORI.pdf

42

Communication for marketing purposes, lack of transparency and information

 

The controller, when collecting personal information, did not provide an option to object the processing of personal data for direct marketing purposes.

 

 

 

Art. 12 GDPR, typified in art. 83.5 b) GDPR

TALLERES AUTOPINTURA JIMENEZ, S.L.

Warning

https://www.aepd.es/resoluciones/PS-00429-2018_ORI.pdf

43

 

Workplace, breach of integrity and confidentiality principle

 

The entity sent an email to the claimant and three other colleagues about a work-related issue, without making use of the blind copy mechanism.

 

Art. 5.1. f) GDPR, typified in art. 83.5 a) GDPR

 

QUALITY TECHNOLOGY SOLUTIONS

ALPE, S.L.

 

Warning

https://www.aepd.es/resoluciones/PS-00040-2019_ORI.pdf

44

Workplace, breach of accuracy principle

 

Claimant’s image was still linked to the company’s web page and web browsers despite the fact that he did not work there since two years before.

 

Art. 5.1 d) GDPR, typified in art. 83.5 a) GDPR

CIBES LIFT IBERICA, S.L.

Warning

https://www.aepd.es/resoluciones/PS-00054-2019_ORI.pdf

45

Breach of integrity and confidentiality principle

 

The entity gave its partners access to documentation with personal data of the complainant and the partners he proposed as witnesses in the disciplinary proceedings that the entity initiated against him.

 

Art. 5.1 f) GDPR, typified in art. 83.5 a) GDPR

CLUB RECREATIVO DEPORTIVO PARQUE CARTUJA

(Sports club)

Warning

https://www.aepd.es/resoluciones/PS-00037-2019_ORI.pdf

46

Video surveillance, breach of minimisation principle

 

Installation of a camouflaged video surveillance system with cameras looking at the public street, monitoring the entrance of the claimant’s building and without the proper informative sign.

 

Art. 5 and 6 GDPR, typified in art. 83.5 a) GDPR

Individual

Warning

https://www.aepd.es/resoluciones/PS-00334-2018_ORI.pdf

47

 

Video surveillance, lack of information, breach of minimisation principle

 

 

 

Installation of unmarked video surveillance system filming people passing through the street without just cause.

 

Art. 5.1.c) and 6 GDPR, typified in art. 83.5 a) GDPR

CALVADOS 14, S.L.

Warning

https://www.aepd.es/resoluciones/PS-00022-2019_ORI.pdf

48

Breach of integrity and confidentiality principle, security measures, security breach

 

The employees of the cleaning service of the school threw documents into a container, including student’s examinations with personal data on them, without taking appropriate measures for the destruction of such documents.

Art. 5.1. f) GDPR, typified in art. 83.5 a) GDPR

 

NOBELIS, SOCIEDAD COOPERATIVA MADRILEÑA (Private educational center)

 

Warning

https://www.aepd.es/resoluciones/PS-00002-2019_ORI.pdf

49

 

Breach of integrity and confidentiality principle

 

The entity sent an email to 24 people without making use of the blind copy mechanism.

 

 

Art. 5.1. f) GDPR, typified in art. 83.5 a) GDPR

 

THE OLIVER GROUP TORREVIEJA, S.L.

 

Warning

 

https://www.aepd.es/resoluciones/PS-00405-2018_ORI.pdf

 

50

 

Video surveillance, breach of minimisation principle

 

 

Installation of a video surveillance system on his façade without authorization.

 

Art. 5.1 c) and 6 GDPR, typified in art. 83.5 a) GDPR

Individual

Warning

https://www.aepd.es/resoluciones/PS-00376-2018_ORI.pdf

51

Video surveillance, breach of minimisation principle

 

Installation of a camera in a dwelling that took disproportionate images of the public road without authorization.

 

Art. 5.1 c) and 6 GDPR, typified in art. 83.5 a) GDPR

Individual

Warning

https://www.aepd.es/resoluciones/PS-00418-2018_ORI.pdf

52

Lack of information

 

The web collected personal data from people who accessed and registered on it without been provided with the relevant information.

 

Art. 13 GDPR, typified in art. 83.5 GDPR

WWW.YELLOWELEPHANT.ES

Warning

https://www.aepd.es/resoluciones/PS-00015-2019_ORI.pdf

53

 

Video surveillance, breach of minimisation principle, lack of lawfulness

 

Installation of a video surveillance system in a building, focusing on the public road without any informative sign.

Art. 5.1 c) and 6 GDPR, typified in art. 83.5 a) and b) GDPR

Individual

Warning

https://www.aepd.es/resoluciones/PS-00335-2018_ORI.pdf

54

Financial solvency/creditworthiness files, breach of accuracy principle

 

Inclusion of the claimant's personal data in a financial solvency/creditworthiness files (ASNEF), regarding a debt that was not certain, due or enforceable.

 

Art. 5.1 d) GDPR, typified in art. 83.5 a) GDPR

SISTEMAS FINANCIEROS MOVILES SL

Warning

 

https://www.aepd.es/resoluciones/PS-00330-2018_ORI.pdf

55

Workplace, video surveillance, breach of minimisation principle

 

Installation of video surveillance system in the hotel premises that obtained images of the staff canteen, toilet door for staff, etc.

 

Art. 5.1 c) GDPR, typified in art. 83.5 GDPR)

HOTEL ROYAL AL ANDALUS S.A.

Warning

https://www.aepd.es/resoluciones/PS-00346-2018_ORI.pdf

56

 

Video surveillance, breach of minimisation principle

 

Installation of a video surveillance system on the façade of the entity focusing the entrance to it, that captured images of people passing through the street and vehicles circulating on the roadway.

 

 

Art. 5.1 c) GDPR, typified in art. 83.5 GDPR

 

SANCHEZ JOYEROS TEMPO 2016, S.L.

 

Warning

 

https://www.aepd.es/resoluciones/PS-00348-2018_ORI.pdf

57

 

Video surveillance, breach of minimisation principle

 

 

Installation of a video surveillance system which focused on the complainant's home.

 

Art. 5.1 c) GDPR, typified in art. 83.5 GDPR

Individual

Warning

https://www.aepd.es/resoluciones/PS-00347-2018_ORI.pdf

58

 

Video surveillance, breach of minimisation principle

 

Installation of a panoramic video surveillance camera at the entrance of its facilities, capturing images of people passing through the street.

Art. 5.1 c) GDPR, typified in art. 83.5 GDPR

TODOFUNDICION, S.L.

Warning

https://www.aepd.es/resoluciones/PS-00375-2018_ORI.pdf

59

Video surveillance,

breach of minimisation principle, lack of lawfulness

 

Installation of a video surveillance system on the private property of the claimed but with orientation towards the public street in order to obtain images of her vehicle without having any informative sign.

 

Art. 5.1 c) and 6.1 GDPR, typified in art. 83.5 a) and b) GDPR

Individual

Warning

https://www.aepd.es/resoluciones/PS-00378-2018_ORI.pdf

60

Breach of data minimisation principle

 

 

The complainant applied for the selection process of the Superior Corps of Technicians in Penitentiary Institutions.

 

By typing her name and surname in the Google search engine, there is a reference to BOE where it contains the resolution of admitted and excluded.

 

The resolution contains the claimant's personal data (Name/Surname/ID number/disability degree).

 

Art. 5.1 c) and 9. 1 GDPR, typified in art. 83.5 a) and b) GDPR

Secretaría General de Instituciones Penitenciarias

(Body of Penitentiary Institutions)

Warning

https://www.aepd.es/resoluciones/PS-00361-2018_ORI.pdf

61

 

Video surveillance, breach of lawfulness principle

 

Placement of a video camera that focused directly on the entrance of the Headquarters without informing the agents of the placement or its purpose and without any informative sign.

 

 

Art. 6.1 c) GDPR, typified in art. 83.5 a)  GDPR

 

Ayuntamiento de Corita del Ebro

(Corita del Ebro City Council)

 

Warning

 

https://www.aepd.es/resoluciones/PS-00359-2018_ORI.pdf

 

62

 

Lack of information

 

Collection of personal data of users through a web form without being provided with the information required by Article 13 GDPR correctly and completely.

 

 

Art. 13 GDPR, typified in art. 83.5 b)  GDPR

 

Individual

Warning

https://www.aepd.es/resoluciones/PS-00377-2018_ORI.pdf

63

Video surveillance, breach of minimisation principle

 

Installation of two video surveillance cameras on the façade of an establishment facing the street and the entrance to a building.

 

 

Art. 5.1.c)  GDPR, typified in art. 83.5 a)  GDPR

 

VENDING Y DISTRIBUCIÓN 2017, S.L

Warning

 

https://www.aepd.es/resoluciones/PS-00353-2018_ORI.pdf

64

Video surveillance, breach of minimisation principle

 

Installation of a video surveillance system pointing at the public road and without the proper informative sign. In addition, the images were stored indefinitely.

 

Art. 5.1 c) GDPR, typified in art. 83.5 GDPR

Individual

Warning

https://www.aepd.es/resoluciones/PS-00120-2019_ORI.pdf

65

Video surveillance, breach of minimisation principle

 

Installation of a video surveillance system both inside and outside a bar, recording external public areas.

 

Inside the bar there was no informative sign, and outside there was a small sign that could not be easily seen.

 

Art. 5.1 c) GDPR, typified in art. 83.5 GDPR

BAR TARIQUEJO

Warning

https://www.aepd.es/resoluciones/PS-00117-2019_ORI.pdf

66

Lack of information

 

The company processed personal data without providing the data subjects with the information required by data protection regulations.

 

 

Art. 13 GDPR, typified in art. 83.5 GDPR

 

CHAPAUTO SPORT, S.L.

Warning

https://www.aepd.es/resoluciones/PS-00408-2018_ORI.pdf

67

Breach of integrity and confidentiality principle, public administration

 

Processing of personal information of citizens who went to the Department of Social Services of the City Council in offices shared by several professionals.

 

 

Arts. 5.1.f) and art. 32.1.b) GDPR, typified in art. 83.4 a) GDPR

 

 

AYUNTAMIENTO DE PARLA

(Parla City Council)

Warning

https://www.aepd.es/resoluciones/PS-00365-2018_ORI.pdf

68

Breach of security of processing

Defective configuration of an email account dedicated to internal management of the store. The emails that were sent from that account were visible on the devices exposed in the store.  

 

Art. 32 GDPR, typified in art. 83.4 a) GDPR

 

BALMORE ATLANTIC, S.L.

Warning

https://www.aepd.es/resoluciones/PS-00431-2018_ORI.pdf

69

 

Communication for marketing purposes, withdrawing of consent

 

The complainant continued to receive communications for marketing purposes of Vodafone via SMS despite having expressed his wish not to receive them.

 

Art. 21.1 E-commerce Act, typified in art. 38.4.d)

 

VODAFONE ESPAÑA, S.A.U.

 

Initial proposed fine: 10.000€

Final fine: 6.000€ due to responsibility recognition and prompt payment.

 

 

https://www.aepd.es/resoluciones/PS-00189-2019_ORI.pdf

70

Communication for marketing purposes, lack of lawfulness (consent)

The complainant received communications for marketing purposes from the Company without having had any commercial relationship in the past.

 

Art. 21.1 E-commerce Act, typified in art. 38.4.d)

 

MAPEX AGENCIA CONSULTING, S.L.

1.000€

 

https://www.aepd.es/resoluciones/PS-00169-2019_ORI.pdf

 

Volver

Further information:

Norman Heckh
nheckh@ramoncajal.com

María Luisa González
mlgonzalez@ramoncajal.com

Madrid

Almagro, 16-18
Madrid 28010
T: (+34) 91 576 19 00

Barcelona

Avenida Diagonal 615, 8ª planta.
08028
T (+34) 93 494 74 82

Ramón y Cajalabogados
#SomosRyC
Fines imposed since the entry in force of the GDPR
09 de Octubre de 2019

After the first year of application of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation “GDPR”), most supervisory authorities have already imposed sanctions for non-compliance with the GDPR.

Ramón y Cajal Abogados provides here with a summary of the most relevant sanctions imposed in the last months by the European Data Protection Authorities.

We start with an exhaustive analysis on the highest sanction imposed so far by the Spanish Data Protection Agency (250.000 € to the Professional Football League based already on the GDPR), which is completed with the summary table of sanctions imposed by this supervisory authority since May 2018 that appears as an annex to this newsletter.

In addition, we include references to different proceedings opened by other European authorities, without forgetting the recent sanction imposed by the Belgian authority that analyses the conditions for collecting consent for the processing of data in the process of obtaining a loyalty card.

 

Index

1. The AEPD fines the Professional Football League 250,000 Euros

2. The ICO has imposed the highest penalties so far

3. The CNIL imposes a 50 million fine on Google

4. Other EU supervisory authorities have also imposed sanctions for security breaches (Art. 32 GDPR)

5. The Belgian Data Protection Authority has fined a merchant for non-compliance with the RGPD

6. A Big Four is fined for non-compliance with the provisions of the GDPR

7. In Spain, telecommunications, energy and debt collection companies remain among those receiving the highest fines

8. Other recent EU fines

9. Table of sanctions imposed by the AEPD


 

1.The AEPD fines the Professional Football League 250,000 Euros

The resolution establishes the highest fine to date in the application of the GDPR. The procedure was initiated following the appearance in the press and media of news about a new feature in the app for mobile devices of the Professional Football League ("LFP", in its Spanish acronym), which could, indiscriminately, capture ambient sounds of the place where the user is, generating some social alarm. The facts were also reported by the association FACUA to the supervisory authority. It should be noted that no data subject or user of the application complained to the AEPD.

The main purpose of the app was to inform the user in real time of news related to their favorite team/s, including alerts of goals, results, etc. In order to detect frauds related to the broadcasting of football matches in public establishments that do not hold the corresponding permits and which, according to the LFP, represent an estimated loss of 150 million Euros for Spanish football system; the app requested the user's authorization to activate the microphone of their device and collect sounds from the place where it was located, as well as information regarding the geolocation of the user.

During the proceedings, LFP mainly made the following allegations:

(i) Users are informed of the functionality through the General Terms of Use and the Privacy Policy that are displayed when installing the app, and they must expressly authorize the treatment through a box unchecked by default.

(ii) Given that the exclusive purpose of this treatment is the detection of fraud, the controversial functionality will be enabled only in users of Android 6 or higher, with a maximum of 50,000 at a national level (out of a total of 10,000,000 users of the application). Outside Spain this functionality is disabled, and within that territory is only activated during the fringes in which the matches take place.

(iii) The app treats the captured sound to convert it into a binary hash; once this acoustic footprint has been generated, the original audio is dismissed and cannot be accessed by the operating system and/or other applications. The process is irreversible and takes place on the user's device before the resulting information is sent to the external company that is in charge of contrasting these fingerprints against those provided by the LFP.

(iv) Consequently, the LFP considers that there is no processing of personal data at this stage of the process, either in terms of the audio that is accessed through the microphone, or in terms of the information relating to the IP address and the identifier that is sent to the servers of the external collaborator (as IP addresses are processed for the sole purpose of establishing the interconnection between the server and the mobile devices).

(v) In the case of the location data concerned, it is transformed into heat maps to identify the most fraudulent territories.

(vi) Prior to the development of the new functionality, the LFP took a number of accountability measures: it requested two legal reports from law firms, held internal privacy by design meetings onwards, and an analysis of the need for a Privacy Impact Assessment and Risks Assessment.

(vii) Users can revoke their consent at any time in the mobile device settings.

The AEPD, however, understands that the LFP carries out a processing of personal data. As to the sound, establishes that"(...) in the first stage of the process, it can be stated that, if the collection takes place during a conversation where personal data is involved, we are faced with the collection of personal data and, therefore, with the processing of personal data. (...) the process of conversion into a fingerprint constitutes in itself one of the phases of the entire processing, which begins to take place from the collection of the information, independently of the subsequent processing, and finally the sending or communication for comparison (...)".

With regard to the IP addresses that the LFP also collects, the AEPD considers that "it is admitted that this was the IP address of the user's device, but it does not indicate the specific moment when it ceased to be used". On the other hand, in accordance with the privacy policy of the LFP available until 26 March 2019, this controller stated that it would process "(...) IP address, operating system, browser ID, browsing activity and other information about how they interact with our LaLiga Environment". In addition, the AEPD inspection deparment revealed that the information transmitted to the external collaborator for comparison included "the fingerprint resulting from the conversion of the audio, the IP address of the device, a specific Identifier that assigns the application to the user and the user agent (...)".

The main reproach, however, is the lack of transparency towards the user of the application. Although he gives his consent for the treatment of the information accessed through the microphone, the fact “that, at a later moment, the processing of the captured audio takes place, and that it is done in one way or another, depends solely on the will of [the LFP], because as is deduced from the report itself that is provided, the computer environment is easily modifiable by changing the programming with the determination of some values or others".

In the opinion of the AEPD, these broad configuration capabilities of the LFP, together with the lapse between the acceptance of the described functionalities and the moment in which the treatment actually takes place, "makes it necessary to adapt the principle of transparency to this type of treatment, and it is essential to inform with certainty and transparency about the time when the treatment will take place -both when the application is installed and during the collection of information-". This is especially the case for more intrusive treatments such as sound pickup through the microphone, or geolocation.

Article 83 GDPR classifies the infringement of the right to transparency as very serious, so that it entails fines up to EUR 20,000,000, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

In quantifying the penalty, the AEPD accepted only one of the mitigating circumstances invoked by the LFP, relating to the display of an icon each time the device activated geolocation. In contrast, a number of aggravating circumstances were found, such as:

(i) the nature of the infringement (the infringement of an essential informing principle in the processing of personal data is of a special significance);

(ii) the seriousness of the infringement (given the persistence over time, more users could be affected within the limit of 50,000 simultaneous users configured by the LFP);

(iii) the number of affected (since the LFP had the capacity to implement the functionality in the devices of any user who had granted the permits);

(iv) the intentionality of the infringement and the degree of accountability of the LFP (which apparently did not follow all the recommendations of the legal reports requested. That request in itself does not imply compliance with the applicable rules);

(v) although the LFP does not have as its main business purpose the processing of personal data, it does "protect its financial assets from fraud (...) through invasive privacy techniques (...) without the certainty of the effectiveness of such system"; and

(vi) the persistence in the action of the LFP, "which eliminates the only extenuating circumstance observed in the initial agreement, to turn it into a highly qualified aggravating circumstance".

The joint evaluation of all the circumstances described resulted in a increase from the EUR 50,000 of the proposed resolution to the EUR 250,000 finally imposed. This amount represents around 1% of the total worldwide annual turnover of the preceding financial year.

Volver

2.- The ICO has imposed the highest penalties so far

The fine imposed on the LFP does not, however, match the amounts of the sanctions imposed by other control authorities. In line with the first relevant sanction under the new regulatory framework, i.e. the fine of 50 million euros imposed by the National Commission of Informatics and Liberty ("CNIL"), the French supervisory authority, on Google, the Information Commissioner´s Office ("ICO"), the UK supervisory authority, has issued two million-dollar motions for resolutions, both following significant security breaches.

Both proceedings are pending final allegations and resolution, but they are a clear indication of the increase in potential sanctions under the GDPR (especially when the competent enforcement authority calculates the amounts of fines over the overall total annual turnover of the sanctioned company).

 The first case concerns British Airways, which suffered an attack involving the redirection of traffic to a fraudulent website where the attackers harvested data from nearly 500,000 customers. The categories affected include access credentials, credit cards, reservation data, and other identification data (although the company initially stated that data had been affected for some 380,000 transactions that did not include passport or travel data). During the investigation serious deficiencies were detected in the security measures implemented by British Airways, so that the proposed sanction slightly exceeds 200 million euros, equivalent to 1.5% of global turnover during the previous year (2017).

The second procedure brings about the security incident suffered by the Marriott hotel chain notified in November 2018, and by which the data of nearly 339 million customers worldwide were exposed. The vulnerability is believed to originate from a hotel group acquired by Marriott in 2016 (Starwood), which could have been compromised since 2014. The eventual sanction would be imposed on Marriott for a lack of diligence in both Starwood's pre-purchase examination and in implementing its own security measures. The ICO's proposal includes an economic penalty of just over 100 million euros, which represents around 3% of global turnover in 2018.

Volver

3.- The CNIL imposes a 50 million fine on Google

On January the French supervising authority imposed what was at the time the highest fine within the EU under the GDPR. According to the CNIL, Google had failed to comply with its transparency obligations, as well as to obtain data subjects’ consent pursuant to art. 4 GDPR.

The complaint was initially brought by two organisations from Austria (None of Your Business) and France (“La Quadrature du Net”), concerned about the Google account creation process when setting up an Android smartphone. According to the claimants, Google had failed to (i) provide sufficient information, in a clear and plain language, of the purposes of the processing, as well as (ii) obtain user’s consent to process their data for personalized marketing purposes.

In its ruling, the CNIL considers that the information provided by Google was not easily accessible: it was spread among several documents, each of which contained multiple links to additional information and requiring up to 5 or 6 user clicks to be accessed. Furthermore, the description of the data categories subject to processing and the purposes thereof were too vague. When obtaining consent, Google allowed users to modify a limited set of options and the displayed boxes were checked by default.

The CNIL also found that Google had not provided clear information on (i) the legal basis supporting its processing activities and (ii) the criteria that would allow users to determine retention periods on certain type of data.

The French supervising authority took into consideration several aggravating circumstances when imposing the fine, such as the fact that GDPR violations (i) concerned its essential principles and (ii) are still occurring. Additionally, Android OS has a significant presence in the French market and the privacy policies presented to users rule a variety of services provided by Google to all account holders.

Volver

4.- Other EU supervisory authorities have also imposed sanctions for security breaches (Art. 32 GDPR

The inadequacy of security measures implemented by controllers has also been subject to sanctions in other Member States. In Romania, for example, 15,000 euros  have been imposed on the World Trade Center Bucharest hotel for keeping a list unattended in order to verify which guests ate breakfast.

Additionally, in France and Lithuania SERGIC and YSC Mistertango have been sanctioned with 400.000€ and 61.500€, respectively, for hosting personal data on their servers without implementing adequate security measures to prevent the information from being freely available on the Internet. The appreciable disparity between the amounts is due to the fact that in both cases there were other breaches of regulations and circumstances of different gravity.

Also in France, the French Data Protection Authority issued a 180.000 € fine against insurer Active Assurances on the basis that the company had “breached its obligation to secure personal data provided for by Article 32" of the GDPR. The fact dates for the year 2018, when an Active Assurance customer claimed that he was able to access personal data of other customers (among them, driver’s licenses, registration cards or bank identification records) only changing the numbers at the end of the URL in the browser.

The CNIL informed the company which stated that measures to rectify the cited infringements have been implemented. However, on an on-site inspection, CNIL found that the measures taken were not sufficient. According to the CNIL, Active Assurances should have instructed the customers to use strong passwords and it should not have sent them the passwords in plain text by e-mail.

Volver

5. The Belgian Data Protection Authority has fined a merchant for non-compliance with the RGPD

The Belgian data protection authority imposed a fine of 10,000 € on a merchant for the disproportionate use of the electronical identity card for the purpose of creating a loyalty card. The complainant refused to provide him with such document so the benefit of the card was denied to him, even when he offered to provide the merchant with his personal data.

In particular, the authority has considered that: (I) the principle of data minimization was infringed (the merchant needed data such as name, surname, address, etc., but he also wanted to have access to the photo and the barcode linked to the national registration number), (II) and the consent given could not be considered as freely given because no alternative was offered to the customers: if they refused to allow the use of their electronic identity card, they could not enjoy advantages and discounts.

Volver

6.- A Big Four is fined for non-compliance with the provisions of the GDPR

The Hellenic Data Protection Authority has imposed its first sanction for non-compliance with the General Data Protection Regulation (“GDPR”) on PriceWaterhouseCoopers (“PWC”) which amounts to 150.000€.

PWC processed employee’s personal data violating the principles of accountability, lawfulness, fairness and transparency.

PWC made the false impression on employees that their personal data were being processed in accordance with the legal basis of consent, while in fact they were processing it with another legal basis, about which employees were never informed, in breach of the principle of transparency included in Article 5 GDPR and consequently, in breach of the obligation to provide information pursuant to Articles 13 and 14 GDPR.

For this reason, the Greek Authority has decided to impose a fine of 150.000€ on PWC in accordance with Article 83 GDPR and has also decided to give the company a period of three months in which to correctly adapt the processing operations of its employees' personal data, as well as to ensure the correct application of the principles infringed, evidencing their compliance.

This sanction is the first fine for breach of the GDPR to one of the Big Four.

For more information click on the following link.

Volver

7.- In Spain, telecommunications, energy and debt collection companies remain among those receiving the highest fines

Returning to Spain, the rest of the fines imposed by the AEPD involve smaller amounts, similar to those that would have been imposed under the previous regulatory framework. In this sense, the sanctions for errors of the controller for which receipts or invoices are demanded from the wrong data subject stand out due to their frequency.

Endesa Energía XXI has been sanctioned for an error in the modification of the data of a contract and, by acknowledging its responsibility and voluntarily paying the sanction, reduced the amount of the sanction by 40%, which was finally 60,000 euros. In most of the proceedings for this type of error, the entity sanctioned is Vodafone, which used the same mechanisms to end up paying 28.000 euros, 36,000 euros  and 36,000 euros, respectively.

On the other hand, the AEPD continues to sanction, under the protection of the GDPR, non-compliance related to the processing of debtor data, whether it be the inclusion of data subject in common files of debtors (60,000 euros to Yoigo), or for exceeding the limits in the processing of data and claiming payment through means and addresses not provided by the data subject to the creditor collected from the Internet (60.000 a Gestión de Cobros, Yo Cobro).

Volver

8.- Other recent EU fines

· In France, Uniontrad Company has been fined EUR 20,000 for failing to comply with the requirements on the use of video surveillance systems. The sanctioned entity ignored the warnings of the CNIL regarding the limitation of the time during which employees were recorded and the provision of adequate information of the processing.

· In Denmark, IDdesign (a furniture manufacturer) has been fined EUR 200,000 for failing to comply with the principle of storage limitation and for over-processing data from around 385,000 customers.

· In Romania the supervisory authority has sanctioned Unicredit Bank with EUR 130,000 for a violation of the principles of privacy by design and by default, since its customers could access the ID and address of those payers who made the transaction with accounts of other entities.

· In Hungary, a festival organiser has been fined EUR 92,000 for failing to comply with the principles of purpose limitation and storage limitation. The sanctioned entity defended its legitimate interest in ensuring the safety of the attendees (in particular, against terrorist attacks) but the supervisory authority considered that the processing activities deployed to identify the interested parties were disproportionate.

· In Belgium, the use of e-mail addresses to which a mayor had access in the exercise of his functions for electoral purposes has been sanctioned with EUR 2,000.

· In Germany, a police officer has been fined EUR 1,400 for misusing the data of a data subject without duly justifying the link between his enquiries and the exercise of his duties.

Volver

9.- Table of sanctions imposed by the AEPD

Ramón y Cajal Abogados has analyzed the different fines and warnings imposed by the AEPD since the application of the GDPR. You can find the analysis below: 

Nº

Keywords

Facts

Section of GDPR infringed

Company /individual

Penalty

Link

1

Apps, breach of transparency principle

 

The accused entity collected, through a mobile app, information of geolocation and microphones from users' mobile phones. The objective was to detect fraud in the consumption of televised football in unauthorized locations.

 

The AEPD understands that the access to the microphone and location data is opaque and that the app should warn the user each time the controversial feature is activated.

 

The LFP argues that it obtained the informed consent of the users and has announced that it will appeal the decision to the competent court (“Audiencia Nacional”).

 

Art. 5.1.a) GDPR, typified in art. 83.5 a) GDPR

Liga Nacional de Fútbol Profesional (LFP)

250.000€

https://www.aepd.es/resoluciones/PS-00326-2018_ORI.pdf

2

Energy, breach of integrity and confidentiality principle

ENDESA disclosed a third party's personal data by charging the claimant's bank account with a gas receipt that did not correspond to her, but to the third party.

Art. 5.1.f) GDPR, typified in art. 83.5 a) GDPR

ENDESA ENERGÍA XXI, S.L.U.

 

Initial proposed fine: 100.000€

Final fine: 60.000€ due to responsibility recognition and prompt payment.

 

https://www.aepd.es/resoluciones/PS-00074-2019_ORI.pdf

3

 

Financial solvency/ Creditworthiness Files, breach of accuracy principle

 

Due to an error in the entry of the telephone number, the claimant received calls from XFERA MÓVILES, S.A. requiring a debt of which it was not the owner and warning it that it would be recorded in a creditworthiness file.

 

 

Art. 5 GDPR, typified in art. 83.5 GDPR

 

XFERA MÓVILES, S.A. (YOIGO)

65.000€

https://www.aepd.es/resoluciones/PS-00094-2019_ORI.pdf

4

Financial solvency/ creditworthiness files, lack of lawfulness

 

AVON issued invoices with the personal data of the claimant and these were included in a financial solvency/creditworthiness files. AVON could not prove its lawfulness for the processing of such data, since the contract that would serve as a basis was not signed and its formalization was denied by the data subject.

 

 

Art. 6 GDPR, typified in art. 83.5 GDPR

 

AVON COSMETICS S.A.U

60.000€

 

https://www.aepd.es/resoluciones/PS-00159-2019_ORI.pdf

5

Financial solvency/

creditworthiness files, breach of  accuracy principle

 

The company included the claimant's personal data in a creditworthiness file (BADEXCUG) although the claimant had already settled its debt.

 

Art. 5.1 d) GDPR, typified in art. 83.5 GDPR

XFERA MÓVILES, S.A. (YOIGO)

60.000€

https://www.aepd.es/resoluciones/PS-00011-2019_ORI.pdf

6

Debts’ recovery, breach of integrity and confidentiality principle

 

The entity (dedicated to collecting debts) sent emails to the email addresses that the claimant provided when contracting the credit, but also to the institutional email address of her workplace, which could be accessed by other people besides her.

 

Art. 5.1.f) GDPR, typified in art. 83.2 GDPR

GESTIÓN DE COBROS, YO COBRO, S.L.

60.000€

https://www.aepd.es/resoluciones/PS-00121-2019_ORI.pdf

7

Telecommunications, lack of lawfulness (consent)

 

Processing of the claimant's ID number without his consent, because it was associated with another client. In addition, he could access the profile of that third client without authorization and due to VODAFONE’s negligence.

 

Art.6.1.a) GDPR, typified in art. 83.5 a) GDPR

VODAFONE ESPAÑA, S.A.U.

 

Initial proposed fine: 60.000€

Final fine: 36.000€ due to responsibility recognition and prompt payment.

 

https://www.aepd.es/resoluciones/PS-00056-2019_ORI.pdf

8

Breach of security of processing

 

The claimant, when accessing the company's customer area through her mother's username and password, was presented with the data of a third party without the latter's consent.

 

 

Art. 32 GDPR, typified in art. 83. 4 a) GDPR

 

 

VODAFONE ONO, S.A.U

 

Initial proposed fine: 60.000€

Final fine: 48.000€ due to prompt payment.

 

https://www.aepd.es/resoluciones/PS-00212-2019_ORI.pdf

9

Telecommunications, breach of integrity and confidentiality principle

VODAFONE ONO sent an email to a large number of clients without making use of the blind copy mechanism.

 

Art. 5.1.f) GDPR, typified in art. 83.5 a) GDPR

VODAFONE ONO, S.A.U.

 

Initial proposed fine: 60.000€

Final fine: 36.000€ due to responsibility recognition and prompt payment.

 

 

https://www.aepd.es/resoluciones/PS-00092-2019_ORI.pdf

10

 

Telecommunications, breach of integrity and confidentiality principle

 

VODAFONE did not respect the precautionary period between the cancellation of a user of a telephone number and the assignment of the same number to a new user. Therefore, in the "My Vodafone" application, the personal data of the old client continued to appear despite the fact that the telephone number corresponds to a new user.

 

 

Art. 5.1.f)  GDPR, typified in art. 83.5 a)  GDPR

 

VODAFONE ESPAÑA S.A.U.

 

Initial proposed fine: 60.000€

Final fine: 36.000€ due to responsibility recognition and prompt payment.

 

 

https://www.aepd.es/resoluciones/PS-00215-2019_ORI.pdf

11

Breach of lawfulness, fairness and transparency principle

 

TELEFONICA charged the claimant's bank account with two invoices for the services he had contracted, showing the personal details and address of another client. The entity has not rectified the error yet.

Art. 5.1.a) GDPR, typified in art. 83.2 GDPR

TELEFONICA MOVILES ESPAÑA, S.A.U.

 

Initial proposed fine: 60.000€

Final fine: 48.000€ due to responsibility recognition and prompt payment.

 

https://www.aepd.es/resoluciones/PS-00173-2019_ORI.pdf

12

Breach of integrity and confidentiality principle

VODAFONE disclosed the claimant's personal data to a third party via an SMS containing a link to the claimant's "Purchase Summary" where her data could be accessed.

Art. 5.1.f) GDPR, typified in art. 83.5 a) GDPR

VODAFONE ESPAÑA, S.A.U.

 

Initial proposed fine: 48.000€

Final fine: 30.000€ due to responsibility recognition and prompt payment.

 

https://www.aepd.es/resoluciones/PS-00205-2019_ORI.pdf

13

 

Telecommunications, breach of accuracy principle

 

The complainant received more than 200 SMS because VODAFONE associated his phone number with other customers and used it, by mistake, to test the sending of messages and check the quality of the online store.

 

Art. 5.1.d) GDPR, typified in art. 83.5 GDPR

VODAFONE ESPAÑA, S.A.U.

 

Initial proposed fine: 45.000€

Final fine: 27.000€ due to responsibility recognition and prompt payment.

 

 

https://www.aepd.es/resoluciones/PS-00411-2018_ORI.pdf

14

 

Telecommunications, lack of lawfulness (consent)

 

 

The entity charged the claimant for a Netflix service that it had not contracted. VODAFONE was not able to prove that the affected party had given its consent, nor conducted the minimum diligence required to verify the identity of the signatory.

 

 

Art. 6.1 GDPR, typified in art. 83.5 GDPR

 

VODAFONE ESPAÑA, S.A.U.

40.000€

 

https://www.aepd.es/resoluciones/PS-00064-2019_ORI.pdf

15

Telecommunications, lack of lawfulness

VODAFONE invoiced a mobile phone user, who was not any longer customer of such entity.

Art. 6.1 GDPR, typified in art. 83.5 GDPR

VODAFONE ESPAÑA, S.A.U.

 

Initial proposed fine: 35.000€

Final fine: 21.000€ due to responsibility recognition and prompt payment.

 

https://www.aepd.es/resoluciones/PS-00087-2019_ORI.pdf

16

Video surveillance, breach of minimisation principle

 

Installation of video surveillance system inside a building without an informative sign.

 

The employees had not been informed about their data protection rights. The establishment did not have a form available for clients to exercise their rights.

 

Art. 5.1 c) GDPR, typified in art. 83.5 GDPR

Individual

20.000€

https://www.aepd.es/resoluciones/PS-00150-2019_ORI.pdf

17

Breach of lawfulness, fairness and transparency principle

 

The claimant was recorded at his workplace using another employee's mobile phone and without his consent.

 

These recordings were provided as evidence to justify the disciplinary sanction imposed on him.

 

Art. 5.1 a) GDPR, typified in art. 83.5 GDPR

SANTI 3000, S.L. (RESTAURANTE LA OLIVA)

 

Initial proposed fine: 12.000€

Final fine: 9.600€ due to prompt payment.

 

 

https://www.aepd.es/resoluciones/PS-00401-2018_ORI.pdf

 

18

 

Video surveillance, breach of minimisation principle

 

After an inspection by the Local Police, they found an image-recording device in the corridor area of a building in order to control the workers inside the residence. In addition, there was no informative sign.

 

 

Art. 5.1.c)  GDPR, typified in art. 83.5 a)  GDPR

 

 

Individual

 

9.000€

 

https://www.aepd.es/resoluciones/PS-00050-2019_ORI.pdf

19

 

 

Video surveillance, breach of minimisation principle

 

 

 

Installation of a video surveillance system consisting of a series of security cameras oriented to the public road without just cause.

 

Art. 5.1.c) GDPR, typified in art. 83.5 a) GDPR

 

AMADOR RECREATIVOS, S.L. (Playroom TIKI TAKA)

 

 

Initial proposed fine: 6.000€

Final fine: 3.600€ due to responsibility recognition and prompt payment.

 

 

https://www.aepd.es/resoluciones/PS-00135-2019_ORI.pdf

20

 

Telecommunications, financial solvency/creditworthiness files, breach of accuracy principle

 

VODAFONE included the claimant's data in a financial solvency/creditworthiness files, despite the existence of a complaint previously filed by the data subject to the Telecommunications Authority ("Secretaría de Estado para el Avance Digital - SEAD") for discrepancies in the application of a call voucher signed with the operator. Such claim had been confirmed by SEAD.

 

Art.  5.1.d) GDPR, typified in art. 83.5 GDPR

VODAFONE ESPAÑA S.A.U.

5.000€

https://www.aepd.es/resoluciones/PS-00331-2018_ORI.pdf

21

No purpose limitation, breach of integrity and confidentiality principle

The claimant filled out a form with his personal data to request information about an offer, and was added to a WhatsApp group without his consent.

Art.5.1.b) and f) GDPR, typified in art. 83.5 a) GDPR

 

 

DESSAU ARTE INMOBILIARIO, S.L. (CENTURY 21 ARQUITECTURA)

 

Warning

https://www.aepd.es/resoluciones/PS-00195-2019_ORI.pdf

22

Video surveillance, breach of minimisation principle

 

Installation of a recording device that expressly directed the claimant's workplace in a disproportionate manner, affecting the claimant´s privacy.

 

Art.5.1.c) GDPR, typified in art. 83.5 a) GDPR

ELECTROMECANICA REYES, S.L

Warning

 

https://www.aepd.es/resoluciones/PS-00123-2019_ORI.pdf

23

 

Video surveillance, breach of minimisation principle

 

Installation of a video surveillance system that disproportionately captured images of public space.

Art. 5 GDPR, typified in art. 83.5 GDPR

METROPOLITAN SPAIN, SL

(Gym)

Warning

https://www.aepd.es/resoluciones/PS-00341-2018_ORI.pdf

24

Breach of integrity and confidentiality principle

 

An information note showing a neighbour's debts was published in a place of the Community accessible by neighbours and third parties.

 

Art. 5.1.f) GDPR, typified in art. 83.5 GDPR

Community of neighbours

Warning

https://www.aepd.es/resoluciones/PS-00084-2019_ORI.pdf

25

Communication of personal data, lack of lawfulness (consent)

 

The owners of a workshop communicated the claimant's details to the third party without his consent, regarding some irregularities of an invoice. The third party contacted him to “resolve the situation” by means of coercion.  

 

Art. 6.1.a) GDPR, typified in art. 83.5 a) GDPR

Individual

Warning

https://www.aepd.es/resoluciones/PS-00105-2019_ORI.pdf

26

Video surveillance, lack of information

 

Installation of a video surveillance system in a vehicle workshop without having the informative sign that notifies the data subjects that there is a processing of personal data.

 

Art. 13 GDPR, typified in art. 83.5 b) GDPR

FORMAUTO ALVAREZ FERNANDEZ, S.L.

Warning

https://www.aepd.es/resoluciones/PS-00136-2019_ORI.pdf

27

Telecommunications lack of lawfulness

 

The company assigned the claimant a payment for a telephone line to the claimant without his consent. Some personal data concerning the claimant in the entity's database did not belong to him, but to an unknown third party.

 

Art. 6.1 GDPR, typified in art. 83.5 a) GDPR

VODAFONE ESPAÑA, S.A.U.

Warning

https://www.aepd.es/resoluciones/PS-00086-2019_ORI.pdf

28

Communication for marketing purposes, lack of lawfulness (consent)

 

The company used the complainant's email address to send her newsletters when she had already withdrawn her consent and the company confirmed that the unsubscription had been completed.

 

Art.6.1.a) GDPR, typified in art. 83.5 a) GDPR

ANIMA NATURALIS

Warning

https://www.aepd.es/resoluciones/PS-00400-2018_ORI.pdf

29

Lack of information

 

The website portaenrere.cat did not offer any information on privacy policy, legal notice, or the way in which it carried out the processing of personal data of people who subscribed to it.

Art. 13 GDPR, typified in art. 83.5 b) GDPR

Individual

Warning

https://www.aepd.es/resoluciones/PS-00100-2019_ORI.pdf

30

Video surveillance, breach of minimisation principle

 

The claimed installed a video surveillance system on the balcony of his home in order with security purposes, which captured images of the public road disproportionately and unnecessarily in relation to the purpose.

 

 

Art. 5.1.c) GDPR, typified in art. 83.5 a) GDPR

Individual

Warning

https://www.aepd.es/resoluciones/PS-00416-2018_ORI.pdf

31

Video surveillance, breach of minimisation principle

 

The claimed installed a video surveillance system in their dwelling that could capture images of the public road and the neighbouring dwelling.

 

Art. 5.1.c) GDPR, typified in art. 83.5 a) GDPR

Individuals

Warning

https://www.aepd.es/resoluciones/PS-00349-2018_ORI.pdf

32

Lack of information

 

The claimed collected personal data from users to send them confirmation of the products selected in the shopping cart and to contact them in case of incidents, without providing the information required by the GDPR. 

 

Art. 13 GDPR, typified in art. 83.5 b) GDPR

LIVING TERRITORIWEB, S.L.

Warning

https://www.aepd.es/resoluciones/PS-00419-2018_ORI.pdf

33

 

Video surveillance, breach of minimisation principle

 

 

Installation of cameras that obtained images of a traffic area for vehicles on a public road.

 

Art. 5.1.c) GDPR, typified in art. 83.5 a) GDPR

DUNNES STORES ANDALUCIA S.A

Warning

https://www.aepd.es/resoluciones/PS-00130-2019_ORI.pdf

34

Video surveillance, out-of-date information

 

Installation of a video surveillance system that recorded images on a continuous basis. There was an informative sign with a link to the page of the company that carried out the installation on it; but the website did not include the information required by the GDPR.

 

Arts. 12.1 and 13 GDPR, typified in art. 83.5 b) GDPR

KIOROMAR, S.L.

Warning

https://www.aepd.es/resoluciones/PS-00352-2018_ORI.pdf

35

 

Video surveillance, breach of minimisation principle

 

Installation of a video surveillance system to obtain images of the public road due to a "bad relationship" between the claimed and his neighbour, which does not justify the recording of the public road, which also affects third parties.

 

Art. 5.1 c) GDPR, typified in art. 83.5 a) GDPR

 

Individual

 

Warning

 

https://www.aepd.es/resoluciones/PS-00077-2019_ORI.pdf

36

Minors, lack of lawfulness (consent)

The association photographed the claimant's children to commercialize calendars without asking for the specific consent of their parents.

Arts. 6.1 a) and 8 GDPR, typified in art. 83 GDPR

 

ASOCIACIÓN DE MADRES Y PADRES DEL COLEGIO MARÍA BLANCHARD

(Parents’ association of a school)

Warning

https://www.aepd.es/resoluciones/PS-00089-2019_ORI.pdf

37

Public entity, breach of integrity and confidentiality principle

 

The fined entity exposed in its notice board (located in the public road) a list of fourteen people with their corresponding ID numbers and signatures without their consent.

 

Art. 5.1.f) GDPR, typified in art. 83.5 a) GDPR

CONCEJO DE GARISOAIN

(Public regional administration)

Warning

https://www.aepd.es/resoluciones/PS-00066-2019_ORI.pdf

38

Video surveillance, breach of minimisation principle

 

Installation of a video surveillance system that recorded images of the holder’s porch and the public street, but the only purpose was receiving images of the private surroundings.

 

Art. 5.1.c) and 6 GDPR, typified in art. 83.5 a) GDPR

Individual

Warning

https://www.aepd.es/resoluciones/PS-00003-2019_ORI.pdf

39

Video surveillance, breach of minimisation principle

 

Installation of a video surveillance system, with one of the cameras focusing disproportionately on the dwelling that borders the one of the defendant, without the appropriate informative sign. 

 

Art. 5.1.c) GDPR, typified in art. 83.5 a) GDPR

Individual

Warning

https://www.aepd.es/resoluciones/PS-00090-2019_ORI.pdf

40

Video surveillance, breach of minimisation principle

 

Installation of a video surveillance system that recorded images both from the public street and the establishment’s terrace.

 

Art. 5.1.c) GDPR, typified in art. 83.5 a) GDPR

GURMELIA S.C. (TAPERÍA ALBEDRÍO)

Warning

https://www.aepd.es/resoluciones/PS-00354-2018_ORI.pdf

41

 

Video surveillance, breach of minimisation principle, lack of lawfulness

 

 

Installation of a video surveillance system outside of the owner’s dwelling, focusing on the balconies of the adjoining dwellings and the public street.

 

Art. 5.1 c) and 6 GDPR, typified in art. 83.5 a) GDPR

Individual

Warning

https://www.aepd.es/resoluciones/PS-00010-2019_ORI.pdf

42

Communication for marketing purposes, lack of transparency and information

 

The controller, when collecting personal information, did not provide an option to object the processing of personal data for direct marketing purposes.

 

 

 

Art. 12 GDPR, typified in art. 83.5 b) GDPR

TALLERES AUTOPINTURA JIMENEZ, S.L.

Warning

https://www.aepd.es/resoluciones/PS-00429-2018_ORI.pdf

43

 

Workplace, breach of integrity and confidentiality principle

 

The entity sent an email to the claimant and three other colleagues about a work-related issue, without making use of the blind copy mechanism.

 

Art. 5.1. f) GDPR, typified in art. 83.5 a) GDPR

 

QUALITY TECHNOLOGY SOLUTIONS

ALPE, S.L.

 

Warning

https://www.aepd.es/resoluciones/PS-00040-2019_ORI.pdf

44

Workplace, breach of accuracy principle

 

Claimant’s image was still linked to the company’s web page and web browsers despite the fact that he did not work there since two years before.

 

Art. 5.1 d) GDPR, typified in art. 83.5 a) GDPR

CIBES LIFT IBERICA, S.L.

Warning

https://www.aepd.es/resoluciones/PS-00054-2019_ORI.pdf

45

Breach of integrity and confidentiality principle

 

The entity gave its partners access to documentation with personal data of the complainant and the partners he proposed as witnesses in the disciplinary proceedings that the entity initiated against him.

 

Art. 5.1 f) GDPR, typified in art. 83.5 a) GDPR

CLUB RECREATIVO DEPORTIVO PARQUE CARTUJA

(Sports club)

Warning

https://www.aepd.es/resoluciones/PS-00037-2019_ORI.pdf

46

Video surveillance, breach of minimisation principle

 

Installation of a camouflaged video surveillance system with cameras looking at the public street, monitoring the entrance of the claimant’s building and without the proper informative sign.

 

Art. 5 and 6 GDPR, typified in art. 83.5 a) GDPR

Individual

Warning

https://www.aepd.es/resoluciones/PS-00334-2018_ORI.pdf

47

 

Video surveillance, lack of information, breach of minimisation principle

 

 

 

Installation of unmarked video surveillance system filming people passing through the street without just cause.

 

Art. 5.1.c) and 6 GDPR, typified in art. 83.5 a) GDPR

CALVADOS 14, S.L.

Warning

https://www.aepd.es/resoluciones/PS-00022-2019_ORI.pdf

48

Breach of integrity and confidentiality principle, security measures, security breach

 

The employees of the cleaning service of the school threw documents into a container, including student’s examinations with personal data on them, without taking appropriate measures for the destruction of such documents.

Art. 5.1. f) GDPR, typified in art. 83.5 a) GDPR

 

NOBELIS, SOCIEDAD COOPERATIVA MADRILEÑA (Private educational center)

 

Warning

https://www.aepd.es/resoluciones/PS-00002-2019_ORI.pdf

49

 

Breach of integrity and confidentiality principle

 

The entity sent an email to 24 people without making use of the blind copy mechanism.

 

 

Art. 5.1. f) GDPR, typified in art. 83.5 a) GDPR

 

THE OLIVER GROUP TORREVIEJA, S.L.

 

Warning

 

https://www.aepd.es/resoluciones/PS-00405-2018_ORI.pdf

 

50

 

Video surveillance, breach of minimisation principle

 

 

Installation of a video surveillance system on his façade without authorization.

 

Art. 5.1 c) and 6 GDPR, typified in art. 83.5 a) GDPR

Individual

Warning

https://www.aepd.es/resoluciones/PS-00376-2018_ORI.pdf

51

Video surveillance, breach of minimisation principle

 

Installation of a camera in a dwelling that took disproportionate images of the public road without authorization.

 

Art. 5.1 c) and 6 GDPR, typified in art. 83.5 a) GDPR

Individual

Warning

https://www.aepd.es/resoluciones/PS-00418-2018_ORI.pdf

52

Lack of information

 

The web collected personal data from people who accessed and registered on it without been provided with the relevant information.

 

Art. 13 GDPR, typified in art. 83.5 GDPR

WWW.YELLOWELEPHANT.ES

Warning

https://www.aepd.es/resoluciones/PS-00015-2019_ORI.pdf

53

 

Video surveillance, breach of minimisation principle, lack of lawfulness

 

Installation of a video surveillance system in a building, focusing on the public road without any informative sign.

Art. 5.1 c) and 6 GDPR, typified in art. 83.5 a) and b) GDPR

Individual

Warning

https://www.aepd.es/resoluciones/PS-00335-2018_ORI.pdf

54

Financial solvency/creditworthiness files, breach of accuracy principle

 

Inclusion of the claimant's personal data in a financial solvency/creditworthiness files (ASNEF), regarding a debt that was not certain, due or enforceable.

 

Art. 5.1 d) GDPR, typified in art. 83.5 a) GDPR

SISTEMAS FINANCIEROS MOVILES SL

Warning

 

https://www.aepd.es/resoluciones/PS-00330-2018_ORI.pdf

55

Workplace, video surveillance, breach of minimisation principle

 

Installation of video surveillance system in the hotel premises that obtained images of the staff canteen, toilet door for staff, etc.

 

Art. 5.1 c) GDPR, typified in art. 83.5 GDPR)

HOTEL ROYAL AL ANDALUS S.A.

Warning

https://www.aepd.es/resoluciones/PS-00346-2018_ORI.pdf

56

 

Video surveillance, breach of minimisation principle

 

Installation of a video surveillance system on the façade of the entity focusing the entrance to it, that captured images of people passing through the street and vehicles circulating on the roadway.

 

 

Art. 5.1 c) GDPR, typified in art. 83.5 GDPR

 

SANCHEZ JOYEROS TEMPO 2016, S.L.

 

Warning

 

https://www.aepd.es/resoluciones/PS-00348-2018_ORI.pdf

57

 

Video surveillance, breach of minimisation principle

 

 

Installation of a video surveillance system which focused on the complainant's home.

 

Art. 5.1 c) GDPR, typified in art. 83.5 GDPR

Individual

Warning

https://www.aepd.es/resoluciones/PS-00347-2018_ORI.pdf

58

 

Video surveillance, breach of minimisation principle

 

Installation of a panoramic video surveillance camera at the entrance of its facilities, capturing images of people passing through the street.

Art. 5.1 c) GDPR, typified in art. 83.5 GDPR

TODOFUNDICION, S.L.

Warning

https://www.aepd.es/resoluciones/PS-00375-2018_ORI.pdf

59

Video surveillance,

breach of minimisation principle, lack of lawfulness

 

Installation of a video surveillance system on the private property of the claimed but with orientation towards the public street in order to obtain images of her vehicle without having any informative sign.

 

Art. 5.1 c) and 6.1 GDPR, typified in art. 83.5 a) and b) GDPR

Individual

Warning

https://www.aepd.es/resoluciones/PS-00378-2018_ORI.pdf

60

Breach of data minimisation principle

 

 

The complainant applied for the selection process of the Superior Corps of Technicians in Penitentiary Institutions.

 

By typing her name and surname in the Google search engine, there is a reference to BOE where it contains the resolution of admitted and excluded.

 

The resolution contains the claimant's personal data (Name/Surname/ID number/disability degree).

 

Art. 5.1 c) and 9. 1 GDPR, typified in art. 83.5 a) and b) GDPR

Secretaría General de Instituciones Penitenciarias

(Body of Penitentiary Institutions)

Warning

https://www.aepd.es/resoluciones/PS-00361-2018_ORI.pdf

61

 

Video surveillance, breach of lawfulness principle

 

Placement of a video camera that focused directly on the entrance of the Headquarters without informing the agents of the placement or its purpose and without any informative sign.

 

 

Art. 6.1 c) GDPR, typified in art. 83.5 a)  GDPR

 

Ayuntamiento de Corita del Ebro

(Corita del Ebro City Council)

 

Warning

 

https://www.aepd.es/resoluciones/PS-00359-2018_ORI.pdf

 

62

 

Lack of information

 

Collection of personal data of users through a web form without being provided with the information required by Article 13 GDPR correctly and completely.

 

 

Art. 13 GDPR, typified in art. 83.5 b)  GDPR

 

Individual

Warning

https://www.aepd.es/resoluciones/PS-00377-2018_ORI.pdf

63

Video surveillance, breach of minimisation principle

 

Installation of two video surveillance cameras on the façade of an establishment facing the street and the entrance to a building.

 

 

Art. 5.1.c)  GDPR, typified in art. 83.5 a)  GDPR

 

VENDING Y DISTRIBUCIÓN 2017, S.L

Warning

 

https://www.aepd.es/resoluciones/PS-00353-2018_ORI.pdf

64

Video surveillance, breach of minimisation principle

 

Installation of a video surveillance system pointing at the public road and without the proper informative sign. In addition, the images were stored indefinitely.

 

Art. 5.1 c) GDPR, typified in art. 83.5 GDPR

Individual

Warning

https://www.aepd.es/resoluciones/PS-00120-2019_ORI.pdf

65

Video surveillance, breach of minimisation principle

 

Installation of a video surveillance system both inside and outside a bar, recording external public areas.

 

Inside the bar there was no informative sign, and outside there was a small sign that could not be easily seen.

 

Art. 5.1 c) GDPR, typified in art. 83.5 GDPR

BAR TARIQUEJO

Warning

https://www.aepd.es/resoluciones/PS-00117-2019_ORI.pdf

66

Lack of information

 

The company processed personal data without providing the data subjects with the information required by data protection regulations.

 

 

Art. 13 GDPR, typified in art. 83.5 GDPR

 

CHAPAUTO SPORT, S.L.

Warning

https://www.aepd.es/resoluciones/PS-00408-2018_ORI.pdf

67

Breach of integrity and confidentiality principle, public administration

 

Processing of personal information of citizens who went to the Department of Social Services of the City Council in offices shared by several professionals.

 

 

Arts. 5.1.f) and art. 32.1.b) GDPR, typified in art. 83.4 a) GDPR

 

 

AYUNTAMIENTO DE PARLA

(Parla City Council)

Warning

https://www.aepd.es/resoluciones/PS-00365-2018_ORI.pdf

68

Breach of security of processing

Defective configuration of an email account dedicated to internal management of the store. The emails that were sent from that account were visible on the devices exposed in the store.  

 

Art. 32 GDPR, typified in art. 83.4 a) GDPR

 

BALMORE ATLANTIC, S.L.

Warning

https://www.aepd.es/resoluciones/PS-00431-2018_ORI.pdf

69

 

Communication for marketing purposes, withdrawing of consent

 

The complainant continued to receive communications for marketing purposes of Vodafone via SMS despite having expressed his wish not to receive them.

 

Art. 21.1 E-commerce Act, typified in art. 38.4.d)

 

VODAFONE ESPAÑA, S.A.U.

 

Initial proposed fine: 10.000€

Final fine: 6.000€ due to responsibility recognition and prompt payment.

 

 

https://www.aepd.es/resoluciones/PS-00189-2019_ORI.pdf

70

Communication for marketing purposes, lack of lawfulness (consent)

The complainant received communications for marketing purposes from the Company without having had any commercial relationship in the past.

 

Art. 21.1 E-commerce Act, typified in art. 38.4.d)

 

MAPEX AGENCIA CONSULTING, S.L.

1.000€

 

https://www.aepd.es/resoluciones/PS-00169-2019_ORI.pdf

 

Volver

Further information:

Norman Heckh
nheckh@ramoncajal.com

María Luisa González
mlgonzalez@ramoncajal.com

Madrid

Almagro, 16-18
Madrid 28010
T: (+34) 91 576 19 00

Barcelona

Avenida Diagonal 615, 8ª planta.
08028
T (+34) 93 494 74 82