Spain

[ES] DPA fines a supermarket EUR 150 000 for data protection infringement

IRIS 2019-10:1/13

Miguel Recio

CMS Albiñana & Suárez de Lezo

On 2 September 2019, the Agencia Española de Protección de Datos (Spanish Data Protection Authority, AEPD) fined a supermarket EUR 150 000 for two infringements of the Spanish data protection legislation. On 25 April 2018, the AEPD initiated an investigation after the publication in several newspapers of images recorded by a CCTV system installed in a supermarket corresponding to events which had occurred in May 2011. The images showed the then President of the Community of Madrid supposedly putting some cosmetic products in her bag. The publication of those images was considered an infringement of the security measures, punishable by a fine of EUR 100 000, and of the minimisation principle on data protection, punishable by a fine of EUR 50 000.

Both infringements were considered equally serious under Organic Law 15/1999 of 13 December 1999 on the Protection of Personal Data, which was repealed by Organic Law 3/2018 of 5 December 2018 on the Protection of Personal Data and Guarantee of Digital Rights, currently in force. In particular, the supermarket had stored the images, infringing its obligation to adopt and implement security measures and to respect the data protection principles, as those images, relating to the investigation of a possible theft, had been kept and published without a legal basis for the processing.

The AEPD's resolution might be appealed through a contentious-administrative appeal submitted to the Audiencia Nacional (National Court) .