Certime S.A. – €5,000 Fine (Spain, 2021)

The Spanish DPA (AEPD) has imposed a fine of EUR 5,000 on Certime S.A.. The data subject had renewed her driver's license with the controller in 2009. After her address had changed in 2018, in 2019 she received mail from the controller to her new address without having informed the controller of the adress change. In the letter, the controller informed the data subject that her driver's license would soon expire. In response to a inquiry from the data subject as to where her new contact information came from, the controller informed her that its database was regularly updated using data obtained from the Spanish transport authority DGT (Dirección General de Tráfico). As the data subject had not given consent for such processing of her data, she filed a complaint against the controller with the Spanish DPA. An investigation by the DPA revealed that the company had indeed entered into a contract with DGT. However, DGT had clarified that the purpose of the processing of contact data under the contract was to ensure the accuracy of the address when renewing a driver's license or when issuing medical reports so that it could be sent to the correct address. Nevertheless, the data subjects must request and consequently consent to such a change of address. Since these criteria were not met in the specific case, the DPA found a violation of the purpose limitation principle.