Spain
Chamber of Commerce, Industry, Services and Navigation of Spain
GDPR enforcement action by Spanish Data Protection Authority (aepd) on 2025-04-15.
Case details
- Authority
- Spanish Data Protection Authority (aepd)
- Date
- 2025-04-15
- Controller / Processor
- Chamber of Commerce, Industry, Services and Navigation of Spain
- Sector
- Public Sector and Education
- Quoted Articles
- Art. 5 (1) a), b), f) GDPR, Art. 6 (1) GDPR, Art.14 GDPR
- Type of violation
- Insufficient legal basis for data processing
Summary
The Spanish DPA has imposed a fine of EUR 500,000 on the Chamber of Commerce, Industry, Services and Navigation of Spain. Due to its function within the Spanish Executive, the controller has access to the basic data of all Spanish companies, including information regarding solvency, contact details, tax numbers and more. Self-employed persons are also included. The controller has decided to make this information available to the public. For this purpose, the controller created the legal entity CAMERDATA S.A. (ETid: 2838), which acts as a data processor. The controller transferred the aforementioned data to the processor so that it could be distributed. However, the transfer was not based on a valid legal basis. The amount and kind of data transferred infringed the principles of data minimisation and confidentiality. Furthermore, the manner in which the data was transferred infringed the principle of fairness, and the controller failed to inform the data subjects regarding the data processing.
Related fines