AEPD (Spain) - PS/00151/2021
|AEPD (Spain) - PS/00151/2021|
|Relevant Law:||Article 28(3) GDPR|
|National Case Number/Name:||PS/00151/2021|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
|Initial Contributor:||Mohamed Siddibeh Kurubally|
The Spanish DPA fined a controller, Marbella Resorts, €7000 (reduced to €4200) for not having a data processing agreement with the processor and for infringing the Spanish Law regulating cookies by, among other things, placing unnecessary cookies without obtaining user consent.
English Summary[edit | edit source]
Facts[edit | edit source]
The decision is the consequence of a complaint submitted by a data subject with the Spanish DPA (AEPD) stating that, after being a guest in a hotel, they they were warned about their ID card having been found, along with their personal information, on an adults website.
Also, the data subject addressed an access request access to the hotel, that informed them that the day the data subject checked in, the reception desk was closed and the person who scanned their ID card was an employee of the building's owners association, that managed the entry/exit of the guests outside opening hours.
Holding[edit | edit source]
The AEPD concluded that the defendant had infringed Article 28(3) of the GDPR, since the controller did not have a data processing agreement with the processor (building's owners association) to govern the processing of personal data. Consequently, the AEPD fined the controller €5000 for the infringement of Article 28(3) GDPR.
In total, the AEPD fined the controller €7000, that were reduced to €4200 due to early and voluntary payment and recognizing its responsibility.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.