fbpx

Download free GDPR compliance checklist!

Tag Archives for " Spain "

Record penalty of more than 8 million for Vodafone for infringing the data law

The Spanish Data Protection Authority AEPD has fined 8.15 million euros against the British telephone operator with 8.15 million euros for non-compliant use of personal databases of the company and third parties to carry out commercial campaigns between 2018 and 2020.

AEPD opened an investigation last year against the company after receiving 191 complaints about calls and messages on behalf of Vodafone “without being requested or expressly authorized and / or without addressing the exercise of the right to oppose the sending of new notifications.”

The amount of each sanction ranges from 150,000 euros in the lowest to four million euros for a serious violation of the GDPR.

Source: Record penalty of more than 8 million for Vodafone for infringing the data law | Spain’s News

CJEU fines Spain €15 million for failure to implement Data Protection Law Enforcement Directive

The Court of Justice of the European Union (CJEU) ordered Spain to pay the European Commission 15.5 million euros and a potential daily fine thereafter for failing to transpose the Data Protection Law Enforcement Directive (Directive (EU) 2016/680).

On top of the €15 million fine Spain will have to pay a daily penalty payment of € 89 000 for each day of delay on transposition following the CJEU’s judgment.

Source: CJEU press release

The Spanish Supervisory Authority Approves a GDPR Code of Conduct on Advertising

On September 16, 2020, the Spanish Supervisory Authority (AEPD) approved a “Code of Conduct for Data Processing in Advertising”. This is the first GDPR approved Code of Conduct with an accredited monitoring body in the European Union.

The Code broadly applies to any processing of personal data carried out for advertising purposes, including sending direct marketing communications and using cookies and other technologies for targeted advertising.

Source: The Spanish Supervisory Authority Approves a GDPR Code of Conduct on Advertising

Apple hit with privacy complaints over iPhone tracking tool

A privacy group Noyb has filed complaints with the German and Spanish data protection authorities under the EU’s Cookie Law against Apple over a tool in iOS 14 that allegedly tracks iPhone user behaviour without consent.

The group claims that Apple’s Identifier for Advertisers (IDFA) activates when a user sets up an iPhone without offering a chance to consent or even notifying them of its existence.

Source: Apple hit with privacy complaints over iPhone tracking tool | IT PRO

Spanish DPA fines company for the cookie policy with 30,000 euros

The Spanish Data Protection Authority fined the company Vueling for the cookie policy used on its website with 30,000 euros because users who access the company’s website do not have the ability to configure the cookies that are installed on their computers.

When accessing online the cookie policy of the website, users are informed about what cookies are and what cookies they use (first and third-party). What the company does not provide is a management system or cookie configuration panel that allows the user to delete them in a granular way.

Source: The Spanish Data Protection Authority fined the company Vueling for the cookie policy used on its website with 30,000 euros | European Data Protection Board

Spanish court determines that energy consumption data is personal data

Spain’s Supreme Court has ruled that energy consumption data is protected by the Law on Data Protection as they are data on consumer’s behavior habits such as the hours in which the light is used, the rooms in which it is used or the appliances that are plugged in.

Source: El Tribunal Supremo determina que los datos de consumo energético doméstico son datos personales

European Commission refers Greece and Spain to Court

The European Commission decided to refer Greece and Spain to the Court of Justice of the EU for failing to transpose the EU rules on personal data protection (the Data Protection Law Enforcement Directive, Directive (EU) 2016/680).

In April 2016, the Council and the European Parliament agreed the Directive had to be transposed into national law by 6 May 2018.

Source: Data protection: Commission refers Greece and Spain to Court

Spanish DPA fines soccer league 250K euros

La Liga has been fined 250,000 euros for violating the Spanish Data Protection Agency (AEPD) and the European General Data Protection Regulation (GDPR).

La Liga was using their mobile app to detect the bars that screen football matches without paying by activating the microphone of any user’s mobile so that it can detect sounds that bars emits if a private signal is used. AEPD found that information presented to users was opaque.

Source: Spanish DPA fines soccer league 250K euros

New Spanish Data Protection Act partly nullified by the Constitutional Court

On 22 May 2019 it was disclosed that the Spanish Constitutional Court had decided to nullify indent 2 of the final provision 3 of the new Spanish Data Protection Act, less than six months after becoming effective.

At the same time, article 58 bis of the General Electoral Act, created by the former, is also nullified.

Source: SPAIN: New Data Protection Act (partly) nullified by the Constitutional Court

The Spanish DPA publishes a list of processing operations for which a DPIA is mandatory

After having received the favorable opinion of the European Data Protection Board, the Spanish Data Protection Agency (“AEPD”) released last 6th May a list of processing operations for which it is necessary to carry out a privacy impact assessment.

Although the GDPR establishes criteria that help to identify those processing operations that involve a high risk, the supervisory authorities shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment. In this context, the AEPD has published a list of processing operations determining that in the majority of cases where the processing meets two or more of the criteria on the list, a PIA will be necessary. The more criteria met by the processing analyzed, the greater the risk involved and the certainty of the need for a PIA.

Full article: The Spanish Data Protection Agency has published a list of processing operations for which a privacy impact assessment is mandatory

1 2 3 4
>