AN - 2967/2021: Difference between revisions
(→Facts) |
No edit summary |
||
(2 intermediate revisions by 2 users not shown) | |||
Line 37: | Line 37: | ||
|Party_Link_5= | |Party_Link_5= | ||
|Appeal_From_Body=AEPD | |Appeal_From_Body=AEPD (Spain) | ||
|Appeal_From_Case_Number_Name=PS/00451/2019 | |Appeal_From_Case_Number_Name=PS/00451/2019 | ||
|Appeal_From_Status= | |Appeal_From_Status= | ||
Line 50: | Line 50: | ||
}} | }} | ||
The Spanish National High Court | The Spanish National High Court held that the Spanish DPA correctly interpreted the GDPR and the national law in a case regarding the unlawful processing of data, and that it imposed a proportionate and justified fine. | ||
== English Summary == | == English Summary == |
Latest revision as of 09:52, 10 September 2021
AN - 2967/2021 | |
---|---|
Court: | AN (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1)(f) GDPR Article 83(5) GDPR |
Decided: | 02.07.2021 |
Published: | 22.07.2021 |
Parties: | EQUIFAX IBERICA S.L. |
National Case Number/Name: | 2967/2021 |
European Case Law Identifier: | ECLI:ES:AN:2021:2967 |
Appeal from: | AEPD (Spain) PS/00451/2019 |
Appeal to: | |
Original Language(s): | Spanish |
Original Source: | CENDOJ (in Spanish) |
Initial Contributor: | n/a |
The Spanish National High Court held that the Spanish DPA correctly interpreted the GDPR and the national law in a case regarding the unlawful processing of data, and that it imposed a proportionate and justified fine.
English Summary
Facts
In its decision AEPD - PS/00451/2019, the Spanish DPA (AEPD) fined Equifax, a credit agency, €75,000 for unlawful processing of data.
Equifax appealed this decision with the Spanish National High Court (Audiencia Nacional, "AN").
Holding
The court declared that the decision issued by the AEPD, since the DPA had carried out a correct interpretation of the GDPR and the Spanish Data Protection Act.
Since the controller had failed to block the data included in the credit file for 30 days, as the Data Protection Act requires, the controller was processing the data unlawfully, and could therefore not rely on any legal basis.
Additionally, the court noted that the controller had alleged that, since the Data Protection Act had entered recently into force, they had not been able to implement a proper blocking system, and they did not have the means at the time to block the data; so the controller had acknowledged that they had not carried out the blockage.
The court also remarked that the fine was proportional, since the DPA had taken into account the circumstances of the case and had imposed a proportionate and justified fine, in accordance with Article 83(5) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
It seems you don't have the plugin configured to view the embedded pdf ... you can download the resolution here.