AEPD (Spain) - EXP202407160
| AEPD - EXP202407160 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 32 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 26.04.2024 |
| Decided: | 11.04.2025 |
| Published: | 30.04.2025 |
| Fine: | 12,000 EUR |
| Parties: | Novates Alimentacion Madrid |
| National Case Number/Name: | EXP202407160 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | cwa |
A store was fined €12,000 for failing to implement appropriate access restrictions regarding CCTV footage, in violation of Article 32 GDPR.
English Summary
Facts
A data subject returned a product to a store, Novates Alimentacion Madrid (controller), and was refunded too much money.
Upon visiting the store again, the data subject was shown CCTV footage of the incident by a staff member of her previous interaction at the checkout. The staff member showed the data subject a recording of this footage taken on her personal mobile phone and sent it to the data subject via WhatsApp.
In the video, other customers are visible, and the recording includes the voice of a staff member who remarks “that’s where the failure was”.
On 26 April 2024, the data subject filed a complaint with the AEPD (Spanish DPA).
Holding
The DPA found that the controller had infringed Article 32 GDPR in failure to implement appropriate technical and organisational security measures in respect of the collection and dissemination of the footage.
The DPA found that the fact that the recording of the footage taken on the staff member’s mobile phone evidenced that CCTV footage could be accessed by staff members with no responsibility for the security of the store. The DPA also noted that the CCTV system allowed for the recording of footage by a secondary device and was critical of the use of WhatsApp as a means to transfer the footage. Finally, the DPA highlighted that the footage in question included the personal data of not only the data subject, but of other customers in the store with no effort made to deidentify those data subjects before disseminating the footage.
In determining the appropriate sanction to be imposed, the DPA was influenced by the stark lack of diligence in the protection of personal data undergoing processing by the controller, as well as its high turnover. The DPA initially set the fine at €20,000. However, pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the DPA informed the controller that it may acknowledge its responsibility for the alleged violations and/or make a voluntary payment of the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €12,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
