Details:
| Summary | The Spanish DPA has imposed a fine of EUR 3,600 on XASTRE DO PETO, S.L. (restaurant). An individual had filed a complaint with the DPA due to the fact that the controller required them to fill out a form with their personal information for contact tracing purposes in the context of the Covid-19 pandemic. However, during its investigation, the DPA found that the legal basis for collecting the contact information had expired in the meantime and that the controller had therefore processed the data unlawfully. The DPA also found that the controller did not provide data subjects with sufficient information on data processing. The DPA further determined that the controller did not provide data subjects with an easy way to object to the processing of personal data. |
| Link: | link |
| Related articles: | Art. 6 (1) GDPR, Art. 13 GDPR, Art. 21 GDPR |
| Type: | Insufficient legal basis for data processing |
| Fine: | EUR 3,600 |
| Sector | Accomodation and Hospitalty |
All data is based on The CMS’s Law GDPR Enforcement Tracker Source: https://www.enforcementtracker.com/