Spain

Thomas International Systems, S.A.

40,000 €

GDPR enforcement action by Spanish Data Protection Authority (aepd) on 2023-01-16.

Rank · Sector

#139

of 322 in Finance, Insurance and Consulting

Rank · Spain

#279

of 1,075

Rank · All fines

#820

of 3,050

Case details

Authority: Spanish Data Protection Authority (aepd)
Date: 2023-01-16
Controller / Processor: Thomas International Systems, S.A.
Sector: Finance, Insurance and Consulting
Quoted Articles: Art. 9 GDPR
Type of violation: Insufficient legal basis for data processing

Summary

The Spanish DPA has imposed a fine on Thomas International Systems, S.A.. Thomas International performs psychological tests on behalf of other companies. Thomas International had conducted such a test on behalf of the company Agroxarxa, S.L.. A participant of such a test had filed a complaint against the controller because they had to provide sensitive personal data (ethnicity, disability). However, Agroxarxa had indicated that the test did not request and process such sensitive data. During its investigation, the DPA found that Thomas International had nevertheless processed sensitive personal data without the consent of the data subject or the processing being necessary for the fulfillment of the contractually agreed purpose between Agroxarxa and Thomas International. The DPA considered this to be a violation of Art. 9 GDPR. The original fine of EUR 50,000 was reduced to EUR 40,000 due to voluntary payment.

Open original source Links to the regulator's original publication or another source.