Why is Spain Issuing So Many GDPR Fines?

Spain’s data protection authority is at it again. The body, which handed out 143 GDPR (General Data Protection Regulation) fines in the first nine months of the year, has issued 18 more penalties in October.

Although none of the fines are particularly large – with the biggest being a €31,200 penalty levied against Bayard Revistas – it continues a trend set by the AEPD (Agencia Española de Protección de Datos) that contradicts the approach of most other supervisory authorities.

In many EU countries, GDPR enforcement has focused on a handful of significant violations. Luxembourg has, for example, only handed out one fine in the four and a half years since the Regulation took effect, but it was a proposed €746 million penalty levied against Amazon – the largest ever penalty for a data protection violation.

The same pattern can be seen, albeit less extremely, elsewhere. Ireland’s data protection authority has only issued three penalties, with two of them directed at Facebook’s parent company, Meta, and totalling more than €420 million.

The Irish DPC (Data Protection Commission) has previously faced criticism for the time it takes to complete investigations. The authority is in an unfortunate position, given that Ireland is the European home to many tech giants, which have predictably been subject to the most frequent complaints.

Nonetheless, the distinct lack of action has left many frustrated. Many investigations remain open years after the complaint was files, giving the impression that the GDPR is all but unregulated in the country.

Meanwhile, the AEPD opened and closed an investigation into Google earlier this year after finding a pair of “very serious” GDPR breaches involving the way it transfers personal data to a US-based academic research project.

The speed with which the investigation was conducted is in line with the AEPD’s overall efforts, with the body making decisions at a faster rate its EU counterparts.

But what’s its secret? Does the AEPD have a particularly efficient system? is it being careless? does it have a team of thousands investigating incidents?

The secret to Spain’s success

When you take a closer look at the GDPR fines that the AEPD has handed out since the Regulation took effect, you’ll notice that almost all of the penalties relate to Article 5 and Article 6.

Article 5.1 states that personal data must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.

This is, in effect, the Regulation’s security principle.

Article 6 states that organisations must have a lawful basis whenever they process personal data. Many people mistakenly believe that this means consent is required, but that it only one of six options, and it’s generally the least preferable, because the GDPR strengthened the rules for obtaining and maintaining consent.

These two requirements are at the core of the GDPR’s objectives, and spotting violations is comparatively easy. There is little grey area in terms of compliance: organisations either perform and document the necessary tasks or they don’t.

Many of the organisations that have been investigated by the AEDP are relatively small (at least compared to tech giants) and as such, there is much less material to inspect.

The trend in investigations was first spotted by the law firm BAC Beachcroft, which highlighted the “new standard” that Spain’s data protection authority set in regulating the GDPR.

According to the analysis, the AEPD has also played close attention to Articles 13 and 14 of the GDPR, which concern the information provided to individuals when their personal data is be collected, and the circumstances of data collection when the information has not been obtained directly from the data subjects.

GDPR compliance support

If you’re looking for support meeting your GDPR requirements, IT Governance is here to help. We offer a variety of consultancy options for organisations looking to bolster their compliance practices.

Whether you’re looking for a little guidance or you’d like a dedicated consultant, we have you covered.

Our team of experts are on hand to help you at any stage of your GDPR journey. You can learn more about our services on our website or by speaking to one of our experts.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.