APRIL 2021
Date: 04-05-2021
Name: Stockhunters S.L.
Sector: Finance, Insurance and Consulting
Country: Spain
Type: Insufficient fulfilment of information obligations
Fine: 4,000 EUR
Summary:
The Spanish DPA (AEPD) has imposed a fine of EUR 4,000 on Stockhunters S.L.. The controller was not able to answer the data subject's requests regarding the use of his personal data. In addition, the data protection policy of the controller's website did not comply with the provisions of Art. 13 GDPR. The data subject was therefore unsure of how his personal data was being used.
Date: 04-05-2021
Name: Electrotecnica Bastida S.L.
Sector: Industry and Commerce
Country: Spain
Type: Insufficient technical and organisational measures to ensure information security
Fine: 3,000 EUR
Summary:
The Spanish DPA (AEPD) has fined Electrotecnica Bastida S.L. EUR 3,000. Police officers had found 29 envelopes addressed to the controllers' respective employees on a vacant lot in the local industrial area. Two envelopes had already been opened. The envelopes contained results of medical examinations. The AEPD considered this to be a breach of the controller's duty to implement adequate technical and organizational measures to protect the processing of personal data.
Date: 04-05-2021
Name: Kukimbia S.L.
Sector: Industry and Commerce
Country: Spain
Type: Insufficient technical and organisational measures to ensure information security
Fine: 3,000 EUR
Summary:
The Spanish DPA (AEPD) has fined Kukimbia S.L. EUR 3,000. The controller is a company that stores, transports and distributes goods. Documents containing personal data about the controller's customers and suppliers were found freely accessible next to a trash can near one of the controller's warehouses. The DPA determined that the controller had violated Art. 32 GDPR.
Date: 04-06-2021
Name: Promotech Digital S.L.
Sector: Finance, Insurance and Consulting
Country: Spain
Type: Insufficient fulfilment of data subjects rights
Fine: 2,400 EUR
Summary:
The Spanish DPA (AEPD) has fined Promotech Digital S.L. EUR 2,400 for repeatedly sending the data subject advertising SMS, even though he never subscribed or agreed to receive SMS. Furthermore, the SMS did not offer a direct option to unsubscribe from the advertising. Instead, reference was made to the possibility of cancellation by email. Even though the data subject had objected to receiving further SMS, he continued to receive SMS from the controller. The original fine of EUR 3,000 was reduced by 20% to EUR 2,400 due to immediate payment and acknowledgement of guilt.
Date: 04-8-2021
Name: Kutxabank, S.A.
Sector: Finance, Insurance and Consulting
Country: Spain
Type: Insufficient fulfilment of data subjects rights
Fine: 60,000 EUR
Summary:
The Spanish DPA (AEPD) has imposed a fine of EUR 100,000 on Kutxabank, S.A.. Following a complaint from a former customer, claiming that the bank did not comply with his request to erasure of his data, the DPA started an investigation against the controller. The data subject had already been a customer of the bank in the past. At that time, he had exercised his right to erasure of his data. When he tried to open a new account with the controller, he was informed that this was not possible as his data was still blocked (due to his previous erasure request). The controller further informed the data subject that he would have to unblock the data if he wanted to open an account. For this purpose, a form was attached to the letter. The form stated that by signing it, the data subject was revoking his right to erasure and allowing his data to be used (again) by the controller. The DPA found that temporarily blocking the data, does not correspond to the right to erasure. The DPA also emphasized that deleted or blocked data may not be processed again when a new contractual relationship is entered into with the controller, even if the new processing purpose is the same as the previous one. The original fine of EUR 100,000 was reduced to EUR 60,000 euros due to the immediate payment and acknowledgement of guilt.
Date: 04-09-2021
Name: Miljø- og Kvalitetsledelse AS
Sector: Industry and Commerce
Country: Norway
Type: Insufficient legal basis for data processing
Fine: 3,400 EUR
Summary:
The Norwegian DPA (Datatilsynet) has imposed a fine of EUR 3,400 on Miljø- og Kvalitetsledelse AS. At one of the carwashes operated by the controller, incidents of vandalism had occurred at the payment terminal. The controller thereupon sent footage of the incident from a surveillance camera to the employer of the alleged vandal. The Norwegian DPA concluded that the sharing of the video footage had taken place without a legal basis and the controller had thus violated Art. 6 (1) GDPR and Art. 5 (1) a) GDPR. Furthermore, the DPA emphasizes that the disclosure of the recordings was not necessary to clarify the incident, as the recordings had already been provided to the police.
Date: 04-13-2021
Name: Vodafone España, S.A.U.
Sector: Media, Telecoms and Broadcasting
Country: Spain
Type: Insufficient legal basis for data processing
Fine: 90,000 EUR
Summary:
The Spanish DPA (AEPD) has imposed a fine of EUR 150,000 on Vodafone España S.A.U.. Three data subjects had filed complaints with the AEPD against the controller. They complained about receiving unsolicited text messages from the controller informing them of new invoices, even though there was no longer a contractual relationship between them and the controller. Moreover, there were no outstanding invoices, as the amount to be paid was always zero euros. The data subjects had asked the controller several times to stop sending them text messages and to delete their data. The controller had explained that the messages had been sent due to a technical error and assured the data subjects that they would no longer receive such notifications in the future. However, the sending continued. The original fine of EUR 150,000 was reduced to EUR 90,000 due to immediate payment and admission of guilt.
Date: 04-15-2021
Name: Private Individual
Sector: Individuals and Private Associations
Country: Spain
Type: Non-compliance with general data processing principles
Fine: 3,000 EUR
Summary:
The Spanish DPA (AEPD) has imposed a fine of EUR 3,000 on a private individual. The controller resides on the 1st floor of an apartment building, where he is the owner of apartments on the 2nd and 3rd floors. He regularly rents out these apartments to tourists. The controller had installed four video cameras on the three floors and in the entrance area of the building. He justified their operation with security concerns related to the rental to tourists. The owners' association had not granted permission for the operation of the cameras. Also, the controller did not put up a sign in the building informing about the operation of the camera. The DPA found this to be a violation of the principle of data minimization, as the cameras covered areas of the building used by the community, whose monitoring was not necessary for the protection of the controller's property. Furthermore, the controller violated its obligation to provide information, as he failed to inform the other residents of the building about the processing of their data.
Date: 04-15-2021
Name: S.C. Tip Top Food Industry S.R.L
Sector: Employment
Country: Romania
Type: Insufficient legal basis for data processing
Fine: 5,000 EUR
Summary:
The Romanian DPA (ANSPDCP) has fined S.C. Tip Top Food Industry S.R.L. EUR 5,000. The controller had installed several video cameras in the food areas and changing rooms to surveil its employees. The CCTV was intended to deter theft and protect the manufactured goods. The Romanian DPA stated that the controller violated the principle of data minimization, as such extensive surveillance was not necessary. The goods produced could have been protected by methods less intrusive to the privacy of the employees.
Date: 04-19-2021
Name: Pub owner
Sector: Accommodation and Hospitality
Country: Spain
Type: Non-compliance with general data processing principles
Fine: 1,500 EUR
Summary:
The Spanish DPA (AEPD) fined the owner of a pub EUR 1,500 due to the unauthorized use of two video surveillance cameras covering parts of the public space.
Date: 04-19-2021
Name: Lugera & Makler Broker S.R.L.
Sector: Finance, Insurance and Consulting
Country: Romania
Type: Insufficient technical and organisational measures to ensure information security
Fine: 1,500 EUR
Summary:
The Romanian DPA (ANSPDCP) has imposed a fine of EUR 1,500 on Lugera & Makler Broker S.R.L.. The controller had accidentally destroyed data of customers of Raiffeisen Bank S.A., for which it acted as processor. The ANSPDCP states that the incident occurred due to the fact that the controller had not taken sufficient technical and organizational measures to ensure an adequate level of protection of the data processing.
Date: 04-20-2021
Name: Highcliffe Estates Marbella S.L.
Sector: Real Estate
Country: Spain
Type: Insufficient legal basis for data processing
Fine: 8,000 EUR
Summary:
The Spanish DPA (AEPD) has imposed a fine of EUR 8,000 on Highcliffe Estates Marbella S.L.. The controller had published a photo of the data subject on its website without his consent.
Date: 04-22-2021
Name: Private Individual
Sector: Individuals and Private Associations
Country: Spain
Type: Non-compliance with general data processing principles
Fine: 1,500 EUR
Summary:
The Spanish DPA (AEPD) has imposed a fine of EUR 1,500 on a private individual. The controller had installed a surveillance camera on his property, which recorded, among other things, the public space and neighboring properties. According to the controller, he had installed the camera for security purposes regarding his property. The AEPD considered this to be a violation of the principle of data minimization, as such extensive monitoring was not necessary to protect the controller's property.
Date: 04-23-2021
Name: Equifax Iberica S.L.
Sector: Finance, Insurance and Consulting
Country: Spain
Type: Insufficient legal basis for data processing
Fine: 1,000,000 EUR
Summary:
The Spanish DPA (AEPD) has imposed a fine of EUR 1,000,000 on Equifax Ibérica, SL. A total of 96 complaints were filed with the DPA against the controller because it had included personal data of individuals associated with alleged debts in the Judicial Claims and Public Entities File ('FIJ') without their consent. In some cases, these data were not even correct. According to the DPA, the processing of the data subjects' personal data involving the FIJ file had been unlawful and violated several data protection principles of data processing (lawfulness and transparency, purpose limitation, data minimization, and accuracy). In addition, the controller had not properly informed the data subjects about the processing of their data, thus violating its duty to inform them.
Date: 04-26-2021
Name: Financial company
Sector: Finance, Insurance and Consulting
Country: Belgium
Type: Insufficient technical and organisational measures to ensure information security
Fine: 100,000 EUR
Summary:
The Belgian DPA (APD) has imposed a fine of EUR 100,000 on a financial company. A data subject had filed two complaints with the APD against the company. They were based on 20 queries of her personal data from the credit register of the National Bank of Belgium. The controller employs the data subject's ex-husband, who allegedly used his role to unlawfully gain access to the register in order to obtain financial information about the data subject and thus gain an advantage in their divorce proceedings. As the DPA noted, the data protection violations occurred due to the fact that the controller had not taken adequate organizational measures to protect personal data from unauthorized processing.
Date: 04-27-2021
Name: Anytime Fitness Iberia S.L.
Sector: Industry and Commerce
Country: Spain
Type: Insufficient fulfilment of data subjects rights
Fine: 15,000 EUR
Summary:
The Spanish DPA (AEPD) has imposed a fine of EUR 15,000 on Anytime Fitness Iberia S.L.. A data subject had filed a complaint with the AEPD against the controller due to the fact that the controller continued to send him SMS advertisements, despite the fact that he had requested the deletion of his data and the controller had confirmed the deletion. The fine is composed proportionally of EUR 10,000 for a breach of Art. 17 GDPR and EUR 5,000 for a breach of Art. 21 LSSI.
Date: 04-27-2021
Name: Pagamastarde S.L.
Sector: Finance, Insurance and Consulting
Country: Spain
Type: Insufficient fulfilment of data subjects rights
Fine: 3,000 EUR
Summary:
The Spanish DPA (AEPD) has imposed a fine of EUR 5,000 on Pagamastarde S.L.. A data subject had filed a complaint with the AEPD against the controller due to the fact that the controller continued to send him SMS advertisements, despite the fact that he had requested the deletion of his data and the controller had confirmed the deletion. The controller stated that the data subject's request had not been fulfilled due to a human error. The fine is composed proportionately of EUR 3,000 for a violation of Art. 17 (1) GDPR and EUR 2,000 for a violation of Art. 21 LSSI. The original fine of EUR 5,000 was reduced to EUR 3,000 due to immediate payment and admission of guilt.