Spanish Retailer Fined $12,000 for Violating GDPR

By Netvora Tech News

---

A Spanish retailer in Madrid has been fined €12,000 (approximately $13,500) by the country's data protection authority, the Spanish Data Protection Agency (AEPD), for violating the General Data Protection Regulation (GDPR). The retailer had returned too much money to a customer who was returning a product, and when the customer returned to the store, the employee confronted them with security footage from the previous visit. The employee had taken a recording of the footage with their own phone and sent it to the customer via WhatsApp. The video showed not only the customer but also other customers and the employee's voice. The customer subsequently filed a complaint with the AEPD, which found that the retailer had not taken adequate and technical measures to store and disseminate the security footage. The agency also criticized the use of WhatsApp to share the videos. The AEPD concluded that the retailer had violated Article 32 of the GDPR, which requires that organizations implement appropriate technical and organizational measures to ensure the security of personal data. The agency noted that the retailer's CCTV system allowed recordings to be made on a second device, and that the lack of proper security measures was sufficient evidence of the violation. The fine was initially set at €20,000, but the retailer was able to reduce it by 40% by acknowledging its mistake and paying the proposed fine. The final fine of €12,000 was imposed. The case serves as a reminder of the importance of implementing appropriate security measures to protect personal data, as well as the potential consequences of violating the GDPR.