On June 2, 2023, the Spanish data protection authority (AEPD) published its decision in Proceeding No. PS-00524-2022 in which it imposed a fine of €20,000 on Quality-Provider, SA.
Following a complaint submitted by an individual regarding the General Data Protection Regulation (GDPR).
Background to the decision
In particular, the AEPD noted that the complainant received a phone call from a real estate company; when asked how the latter obtained the complainant’s data, they were informed that it was collected from a database managed by Quality-Provider. On this, the AEPD stated that, when requesting the deletion of their data from the database, Quality-Provider requested a copy of their national identity card and, since the complainant refused to do so, Quality-Provider did not process their deletion request.
Findings of the AEPD
Following its investigation, the AEPD held that Quality-Provider did not justify the basis of legitimacy for processing the complaint’s data, nor was there evidence that the complainant had been informed of the data collection, either at the time Quality-Provider obtained it or when it used it for commercial purposes, so that the complainant could have exercised their right to object. Therefore, the AEPD found Quality-Provider in breach of Article 6 of the GDPR.
Separately, the AEPD also highlighted that Quality-Provider violated Article 17 of the GDPR, since asking for the complainant’s national identity card can be considered excessive and an obstacle to the exercise of the right to deletion.
In light of the above, the AEPD imposed the abovementioned fine on Quality-Provider. To view the decision, you can access the PDF by clicking here. It is available in Spanish.