Data protection

The most common sanctions regarding data protection in Spain

Las sanciones más habituales en materia de protección de datos en España

We already highlighted in our article about the benefits of conducting periodic data protection audits the importance of companies complying with their data protection obligations and we saw how, among other reasons, avoiding penalties is a key motive to stay updated and compliant with data protection regulations.

In other words, companies in Spain are required to comply with the General Data Protection Regulation (“GDPR”) and the Organic Law on Data Protection and Guarantee of Digital Rights (“LOPDGDD”). Failure to comply with these regulations can result in financial penalties imposed by the Spanish Data Protection Agency (“AEPD”) that can reach up to 20 million euros or 4% of the global annual turnover.

The AEPD is the public body responsible for ensuring compliance with personal data protection regulations in Spain and, among its functions, has the authority to impose financial fines and other corrective measures in case of infringements.

Every year, the AEPD usually publishes its Annual Reports of the Spanish Data Protection Agency (AEPD), which are official reports summarizing the agency’s activity throughout the year and include information about its sanctioning activity, allowing us to understand which infringements are most frequently subject to penalties in Spain.

How much do the sanctions imposed by the AEPD amount to?

According to the latest published annual report, corresponding to 2023, the sanctions imposed by the AEPD amounted to 29,817,410 euros that year, with the areas with the highest number of sanctioning procedures being the following:

  • Video surveillance: 33% of the cases.
  • Internet services: 14% of the cases.

Regarding the total amount of fines, the most affected areas in 2023 were:

  • Personal data breaches: 12,907,000 euros.
  • Financial/credit institutions: 5,321,000 euros.
  • Data protection rights: 2,633,400 euros.
  • Fraudulent contracting: 2,571,500 euros.
  • Telecommunications: 1,942,000 euros.
  • Internet services: 1,058,700 euros.

Main reasons for sanctions

Regarding complaints filed by data subjects, the most frequent reasons in 2023 were:

  • Receiving unwanted advertising.
  • Internet services.
  • Video surveillance.
  • Commerce, transportation, and hospitality.
  • Financial/credit institutions.

Examples of data protection sanctions

Beyond the AEPD’s annual report and translating this to reality, we can see some examples of companies sanctioned for the aforementioned reasons:

1.3 million euro sanction for a security breach

The security breach affected more than 1.4 million customers in Spain and was due to unauthorized access to an internal application through credentials obtained fraudulently. The AEPD sanctioned the entity for considering that there were failures in the preventive and reactive management of the security breach.

50,000 € sanction to a company for installing video surveillance cameras in the staff dining room

This is a practice contrary to article 89.2 of the LOPDGDD, which states that “under no circumstances will the installation of sound recording or video surveillance systems be allowed in places intended for the rest or recreation of workers or public employees, such as changing rooms, toilets, dining rooms, and similar.”

10,000 € sanction for sending advertising to a client despite the exercise of the right to object by said client

In this case, there was a violation of article 21 of the Law on Information Society Services and Electronic Commerce, which prohibits carrying out commercial communications by electronic means without the prior consent of the data subject and without a valid legitimate interest on the part of the entity. In this case, not only was there no consent, but there was also an objection from the data subject.

Given all the above, it is clear that failing to comply with data protection regulations can be very costly for companies. To avoid this, a good compliance plan and continuous audits on the matter are a good solution.

If you want information about our data protection compliance and audit services, you can send us a message at contacto@metricson.com or through our contact form on our website.

 

Article written by:

Sara Hervías MetricsonSara Hervías

Lawyer specializing in privacy and technology contracting

sara.hervias@metricson.com

 

 

About Metricson

With offices in Barcelona, Madrid andValencia, and a strong international presence, Metricson is a leading firm in legal services aimed at innovative and technological companies, with solid expertise in privacy and security. Since its founding in 2009, we have provided advice to more than 1,400 clients from 15 different countries, including startups, investors, large companies, universities, institutions, and governments. Additionally, at Metricson we are experts in identifying and managing security breaches in companies, helping them protect themselves against risks and threats.

If you want to contact us, do not hesitate to write to us at contacto@metricson.com. We look forward to talking to you!

Related articles

Automated decision making and profiling under the GDPR

Legality of Web Scraping and other forms of collecting data from the Internet under the GDPR

How to run legally compliant email marketing campaigns

Talk with us

Offices

Paseo de Ruzafa 11, 6º, 12ª
46002 Valencia
960 500 761

    Responsable: Metricson S.L.P.U.
    · Finalidad: Resolver tu petición o duda.
    · Legitimación:  Interés legítimo en responder cualquier cuestión planteada por ti.
    · Destinatarios: Prestadores de servicios tecnológicos, como encargados del tratamiento, que seguirán siempre nuestras instrucciones.
    · Derechos: Puedes acceder, rectificar, suprimir o solicitar la portabilidad de tus datos personales, así como oponerte o limitar el tratamiento de los mismos dirigiéndote a privacy@metricson.com.