Spain

XASTRE DO PETO, S.L.

3,600 €

GDPR enforcement action by Spanish Data Protection Authority (aepd) on 2022-11-11.

Rank · Sector

#43

of 100 in Accomodation and Hospitality

Rank · Spain

#583

of 1,075

Rank · All fines

#1,961

of 3,050

Case details

Authority: Spanish Data Protection Authority (aepd)
Date: 2022-11-11
Controller / Processor: XASTRE DO PETO, S.L.
Sector: Accomodation and Hospitality
Quoted Articles: Art. 6 (1) GDPR, Art. 13 GDPR, Art. 21 GDPR
Type of violation: Insufficient legal basis for data processing

Summary

The Spanish DPA has imposed a fine of EUR 3,600 on XASTRE DO PETO, S.L. (restaurant). An individual had filed a complaint with the DPA due to the fact that the controller required them to fill out a form with their personal information for contact tracing purposes in the context of the Covid-19 pandemic. However, during its investigation, the DPA found that the legal basis for collecting the contact information had expired in the meantime and that the controller had therefore processed the data unlawfully. The DPA also found that the controller did not provide data subjects with sufficient information on data processing. The DPA further determined that the controller did not provide data subjects with an easy way to object to the processing of personal data.

Open original source Links to the regulator's original publication or another source.