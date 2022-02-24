When, in 2018, the ‘Organic Law on the Protection of Personal Data and guarantee of digital rights’ was approved, its article 76.4 established the obligation to collect and publish in the BOE all those sanctions imposed by the AEPD (Spanish Data Protection Agency) when they exceed the amount of one million euros and the receiver of the same is a ‘legal entity’ (companies, associations, political parties, etc.).

So, at the request of said law, yesterday’s BOE echoes all those sanctions imposed by the AEPD over the past year, identifying the offender, offense and amount. They appear in the list a total of five large companies: Vodafone, BBVA, Mercadona, and the two Spanish subsidiaries of EDP (Portuguese Energies)





How to request the DIGITAL CERTIFICATE of NATURAL PERSON from the FNMT

Vodafone: 8.15 million

The AEPD fined Vodafone Spain, in March 2021, with 8.15 million euros for breach not only the RGPD, but also the LSSICE (Law on Services of the Information Society and Electronic Commerce), as well as the General Telecommunications Law.

In large part, the sanction was due to the commercial marketing actions carried out by the telephone operator: the AEPD estimated that the company had not been able to explain the reason why the claimed events occur and continue to occur, nor “the reason why which certain users have requested not to receive marketing actions and yet continue to receive commercial actions“.

That, the recidivism in said practices by Vodafone (there were a total of 162 claims within a period of less than two yearsand the company had continued its marketing actions after resolutions in tutela urging that they be canceled) and the fact that it was economically favored by them, determined the huge amount of the imposed fine.

BBVA: 5 million

In mid-December 2020 (although it was not final until 2021), the AEPD imposed a fine of 5 million euros against Banco Bilbao Vizcaya Argentaria (BBVA), as a result of five claims from different users who received telephone calls from BBVA, despite the fact that they had denied the transfer of their data for advertising purposes.

BBVA was accused of not making its privacy policy clear enough, by assuming that by not checking a box, consent was offered to manage some personal data. Something that goes against the provisions of the General Data Protection Regulation.

The AEPD considered that the bank not only ignored the need for consent by the user (article 13), but also failed to correctly inform the user of how their data would be collected (article 14).

Mercadona: 2.5 million

Although smaller than the previous ones, the sanction of 2,520,000 euros to Mercadona stands out for being the one that violated the most GDPR articles: a total of seven.

The sanction was imposed last July, a year after Mercadona announced that it would start using a facial recognition system in its supermarkets to detect people with a final sentence and a precautionary measure of restraining order to establishments.

After the controversy unleashed, the AEPD initiated an investigation that ended up resolving that said measures assume, for practical purposes, “that all citizens are treated as convicted” for being “subjected to the same treatment as the subject to whom the security measure was imposed”.

Previously, the company had tried to file the sanctioning file making a shocking argument: that it did not need a “legal basis” to carry out data processing, because “the pattern [facial] of a person does not constitute personal data“.

EDP: 1.5 + 1.5 million

Last June, the AEPD had already imposed a sanction against EDP Energía and against its marketing company, for a total sum of 3 million euros. The sanctioning procedures had begun two years earlier, as a result of repeated complaints made by users.

The AEPD found EDP Energía/Comercializadora guilty of violating the principle of privacy by design (its website allowed contracting its services through a representative… without verifying the prior existence of authorization by the principal) and the principle of information (because the user was not informed of the possibility or the channel to exercise their rights).