Fusiona Soluciones Energéticas, S.A. – €50,000 Fine (Spain, 2023)

The company Fusiona Soluciones Energéticas, the controler, filed a lawsuit against the data subject due to an alleged debt. In the judgment , a Spanish Court of First Instance dismissed the claim and declared that the data subject had no debt with the controller. Although the decision was final, the controller included the data subject's data in the 'common credit information system' associating them with the alleged debt. The data subject then filed a complaint with the Spanish DPA, which initiated disciplinary proceedings against the controller. The Spanish DPA concluded that the controller violated Article 6(1) GDPR. According to the DPA, when notifying the credit information system about a debt that is neither 'certain, nor due or payable', as required by [https://www.boe.es/boe/dias/2018/12/06/pdfs/BOE-A-2018-16673.pdf Article 20(1) LOPDGDD], the controller cannot rely on the presumption of legitimate interest established by this provision. Therefore, the DPA considered that the data processing lacked a legal basis and fined the controlle €50,000 for the violation of Article 6(1) GDPR.