AEPD - PS/00287/2020
|AEPD - PS/00287/2020|
|Relevant Law:||Article 5(1)(f) GDPR|
Article 32(1) GDPR
|Parties:||Comercio Online Levante, S.L.|
|National Case Number/Name:||PS/00287/2020|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
|Initial Contributor:||GDPR MASTer Project|
The Spanish DPA (AEPD) imposed a fine of €3,000 to an online perfume shop for displaying personal data (including billing information and address) to a different client when the claimant tried to access their user account.
English Summary[edit | edit source]
Facts[edit | edit source]
When a client tried to access their user account on the website of Comercio Online Levante, S.L., they were directed to the account if another client, therefore having access to the data of such client. The claimant sent an email sent to the online shop informing of the incident but received no answer, so they filed a complaint with the AEPD describing the incident.
Dispute[edit | edit source]
Did Comercio Online Levante, S.L. infringe the principle of confidentiality established by Article 5(1)(f) GDPR?
Was there a personal data breach?
Holding[edit | edit source]
The AEPD considered that there was an infringement of Article 5(1)(f), as there was a leak of personal data without the consent of the data subject. Additionally, they considered that there was an infringement of Article 32(1), as they concluded that the online shop did not have the appropriate technical and organisational measures in place to ensure an adequate level of protection.
For this, the AEPD fined Comercio Online Levante, S.L.:
- for the infringement of Article 5(1)(f), €2,000.
- for the infringement of Article 32(1), €1,000.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.