Marbella Resorts S.L. – €4,200 Fine (Spain, 2021)

€4,200Agencia Española de Protección de Datos6 July 2021Spain
reduced
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

Marbella Resorts in Spain was fined for mishandling a guest's personal data, which ended up being published online. This is important because it shows that hotels must protect guests' information and handle it carefully.

What happened

A concierge at Marbella Resorts improperly copied and published a guest's personal data.

Who was affected

The guest whose personal data was mishandled and published online without authorization.

What the authority found

The Spanish data protection authority found that Marbella Resorts failed to manage customer data responsibly, violating data protection rules.

Why this matters

This ruling serves as a reminder for hospitality businesses to train staff on data protection and ensure that personal information is kept secure.

GDPR Articles Cited

AI-verified

Art. 28(3) GDPR
View original scraped data
Art. 28(3) GDPR

Original data from scraper before AI verification against source document.

National Law Articles

AI-identified

Art. 22(2) LSSI
Source verified 6 April 2026
articles corrected
national law identified
amount discrepancy
Spain enforcementAgencia Española de Protección de Datos actionsAll Marbella Resorts S.L. actions
Full Legal Summary
Detailed

The Spanish DPA (AEPD) has imposed a fine of EUR 7,000 on Marbella Resorts S.L.. In the case at hand, the data subject had booked a room in the hotel complex of the controller. On the day of the data subject's arrival, a concierge made copies of the data subject's data. However, the concierge was not authorized to do so. He was solely authorized to verify the reservation and then to give the guests the keys to their room. After providing the controller with his personal data, the data subject discovered that his personal data had been published on a page with online content for adults. In this regard, the DPA found a lack of diligence on the part of the controller in managing the personal data of its customers and thus a violation of Article 28 (3) GDPR. The fine is composed proportionally of EUR 2,000 for a breach of Art. 22(2) LSSI and 5,000 EIR for a breach of Art. 28(3) GDPR. However, the original fine of EUR 7,000 was reduced to EUR 4,200 due to the immediate payment and admission of guilt.

Violations (1)

Misleading Banner Messaging
critical

The cookie banner uses misleading language to trick or pressure users into accepting cookies (dark patterns).

Art. 7 GDPR

Related Enforcement Actions (0)

No other enforcement actions found for Marbella Resorts S.L. in ES

This is the only recorded action for this entity in this jurisdiction.

Similar Cases

Enforcement actions with similar violations

GOOGLE LLC

2025 · Commission Nationale de l'Informatique et des Libertés

€200.0M

CJEU case C-604/22 IAB Europe

2024 · Court of Justice of the European Union

BANKIA, S.A.

2021 · Agencia Española de Protección de Datos

€50K

Details

Fine Date

6 July 2021

Authority

Agencia Española de Protección de Datos

Fine Amount

€4,200

Enforcement Tracker ID

ETid-762

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Marbella Resorts S.L. - Spain (2021). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: