IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A. – €20,000 Fine (Spain, 2020)

In 2019, Mr D, a customer of Iberia Airlines, requested the company to delete all his personal data, including those concerning an ongoing Loyalty Program. Although the controller confirmed the deletion, Mr D continued to receive unsolicited marketing emails from the company. These facts led to a first complaint which ended in the sanctioning procedure PS/00370/2018. Notwithstanding the first formal notice, the sending of promotional did not stop. Therefore, Mr D lodged a second complaint alleging the ongoing violation of Article 6 GDPR. The AEPD finds the violation of Article 6 quite apparent and focuses on the criteria to assess the amount of the fine under Article 83 GDPR. In particular, the Agency finds a certain "recidivism" due to the commission of infringements of the same nature, already sanctioned in the context of a previous procedure. This integrate the aggravating criteria under Art. 83(2)(b) (intentional or negligent character of the infringement) and (e) (previous infringements) of the GDPR. For these reasons, the controller was given a penalty of 20.000 euros.