There are actions that, even if they are normalized, does not mean that they are correct. Not much less legal. An example is in the processing of the data made of customers. In this sense, the Spanish Agency for Data Protection (AEPD) imposed a fine of 11,000 euros to a crane company after one of its employees photographed with its personal mobile the ID of a client without its consent and without informing it of the treatment of their personal information, among other irregularities.
It was on March 11, 2024 when the affected person, who had gone to the crane company to collect his car, filed a claim against the AEPD. The reason was that, in that company, he was asked to contribute his ID “being photographed by the person who attended him in said establishment with his personal mobile, without being informed about the processing of his data, and subjecting the delivery of the vehicle to said action, which understands the data protection regulations.”
You may be interested
Fine of 30 euros to parents who collect their children late from school in these cases
The workers’ statute confirms it: if they force you to make extra hours you can turn to article 35
He also pointed out that the facilities had a video surveillance system but had not placed any poster that reported it, as required by law. For all this, suspecting that they could have violated the current regulations, he decided to inform the Spanish Agency for Data Protection.
Four different sanctions with fine
As can be seen in the resolution of the Spanish Agency for Data Protection, up to four different infractions were detected, each with its corresponding sanction. First, there was a violation of the principle of data minimization (article 5.1.C of the General Data Protection Regulation, GDPR), since the company took a photograph of the client’s ID with the aim of demonstrating the collection of the vehicle.
This action, according to the AEPD, constituted “excessive treatment” of personal data, since the situation could have been resolved with the mere DNI exhibition and, where appropriate, the annotation of the necessary data, without the need to capture a complete image. For the same, they established about 3,000 euros of sanction.
Secondly, a lack of security measures was found (Article 32 of the RGPD). It is so because the photograph of the DNI was carried out with the personal mobile of a worker, so the agency said that the company had not adopted the appropriate safety, technical and organizational measures to guarantee the safety and confidentiality of personal data. The initial sanction proposal was 2,000 euros.
The third sanction was produced by the omission of the company of its duty to inform the client about the processing of their personal data (article 13 of the GDPR), since the company did not provide any information about the processing of its data at the time when it requested them for the collection of the vehicle. This, according to the agency, limited the client’s ability to exercise their rights. The proposed sanction was also 3,000 euros.
In the last place, the fourth sanction was because the facilities had video surveillance cameras, but lacked informative posters of video surveyed zone (article 13 of the GDPR). The GDPR and the 3/2018 Organic Law on the Protection of Personal Data and guarantee of digital rights, require a “layer information” system, starting with a visible poster that reports the existence of the treatment and identity of the person responsible. The lack of these posters prevents those affected with knowing that they are being recorded and exercise their rights. In this case, the initial sanction proposal was also 3,000 euros.
In total, the sum of all these infractions reached 11,000 euros, although the sanction remained in 6,600 because the company recognized its responsibility and accepted the voluntary payment.