ARTICLE
1 August 2024

Unnecessary Request For Personal Data Leads To Fines For Eurobox S.A – Spain

R
Rouse

Contributor

Rouse logo
Rouse is an IP services business focused on emerging markets. We operate as a closely integrated network to provide the full range of intellectual property services, from patent and trade mark protection and management to commercialisation, global enforcement and anti-counterfeiting.
Explore
Agencia Espanola Proteccion Datos (AEPD), the Spanish Agency for Data Protection agreed to initiate sanction against Eurobox S.A. after user was required...
Spain Privacy
Photo of My Mattsson
Photo of Frida Holmér (née Siverall)
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

In a nutshell 

Agencia Espanola Proteccion Datos (AEPD), the Spanish Agency for Data Protection agreed to initiate sanction against Eurobox S.A. after user was required to provide personal information documentation in order to unblock their online account. Fines were issued as a result. 

The background 

Eurobox S.A is a gambling website which was established in 1981 and with a volume of business of 557 369 EURO in 2021. A complaint was filed when a website user after having their account with Eurobox blocked, twere requested to provide documentation to prove their identity, domicile and employment and financial situation. The person responded to all questions and provided all documentations, despite being in doubt of the legality, but did still not get their account reactivated

AEPD found in their investigation that the processing of personal data was too broad and not considered necessary and therefore Eurobox acted in violation of GDPR Art 5.1 c) resulting in a fine of 8,000 Euros. 

Additionally, AEPD found that Eurobox could not provide any evidence that the complainant had not been told the purpose of the processing for which the personal data was intended as well as the legal basis for the processing at the time where the personal data wascollected from the data subject. This is a violation of Art 13 and was resulting in an administrative fine of 2 000 Euro.

The total amount of 10 000 Euros was reduced to a total of 6 000 Euros due to immediate payment and admission of liability.

The takeaways 

  • Adjust your actions to the principle of minimization. In other words, collect only personal data that is relevant for your service. When processing personal data, a personal data controller is responsible to make sure personal data is limited to what is necessary in relation to the specific purposes for which they are processed. 
  • Adapt the information in your Privacy Policy. As a controller you are responsible toguarantee that the information in the Privacy Policy includes information about the purpose of the processing as well as the legal basis for the processing, at the time it is obtained from the data subject. The specific information of what should be included in this information is set forth in Art. 13. 

Read more:  ps-00109-2024.pdf (aepd.es) 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of My Mattsson
My Mattsson
Photo of Frida Holmér (née Siverall)
Frida Holmér (née Siverall)
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More