Atrium Lex SFC – €100,000 Fine (Spain, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Atrium Lex SFC was fined for requesting sensitive personal information from an investor without explaining how it would be used. This case matters because it highlights the importance of informing users about how their data will be processed. It shows that companies must have clear privacy policies and secure methods for handling personal information.
What happened
Atrium Lex SFC requested a copy of an investor's national identity card without providing information on data processing.
Who was affected
An investor who requested information about their portfolio was affected by the company's data handling practices.
What the authority found
The Spanish Data Protection Authority found that Atrium Lex SFC violated GDPR by failing to inform the investor about the processing of their personal data.
Why this matters
This case underscores the necessity for businesses to clearly communicate data processing practices to users. It serves as a reminder for all companies to implement proper privacy measures and training.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The data subject was an investor with the controller, Atrium Lex SFC; a company which specialises in real estate investment projects. On 28/06/2022, the data subject requested information about his portfolio from the controller. In their response, the controller requested a copy of the data subject’s DNI (national identity card), requesting this without providing any information as to how this data would be processed. They requested that the copy of the identity card be scanned and sent to them via email. Following an email exchange with the data subject, the controller continued to request the DNI via email, offering no information as to the nature of the processing. On 20/05/2023, the data subject filed a complaint with the Spanish DPA (AEPD) against (the controller). The data subject complained that they were not informed about the processing, that they were provided with no privacy policy from the controller, and, that email is an unsecure and inappropriate medium for the provision of a scanned identity document. The controlled initially failed to respond to the AEPD’s request for a response. When they did, they claimed that as the sole administrators of the companies in which the data subject had invested, the requiring of the data subject’s DNI was a necessary measure to ensure that of access to investment-related information was limited to investors. They denied having breached data protection law and stated that they would implement the AEPD’s guidelines and improve their internal processes. The AEPD opened a formal investigation on 20/08/2023. The APED found that the controller had made two violations of the GDPR. Firstly, it was found that the controller had failed to adequately inform the data subject about the processing in question, in violation of Articles 5(1)(a) & 13 GDPR. This was due to the fact that the controller had failed to provide the data subject about the processing when requesting his DNI. The controller also did not have a privacy po
Related Enforcement Actions (0)
No other enforcement actions found for Atrium Lex SFC in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
13 November 2024
Authority
Agencia Española de Protección de Datos
Fine Amount
€100,000
GDPRhub ID
gdprhub-8887About this data
Cite as: Cookie Fines. Atrium Lex SFC - Spain (2024). Retrieved from cookiefines.eu
Last updated: