XASTRE DO PETO, S.L. – €3,600 Fine (Spain, 2022)

€3,600Agencia Española de Protección de Datos11 November 2022Spain
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

XASTRE DO PETO, a restaurant, was fined EUR 3,600 for collecting customer data without a valid reason. The restaurant asked for personal information for Covid-19 contact tracing, but the legal basis for this had expired. This case highlights the need for businesses to ensure they have a valid reason to collect personal data.

What happened

XASTRE DO PETO collected customer data for contact tracing without a valid legal basis.

Who was affected

Customers who were required to provide personal information for contact tracing.

What the authority found

The Spanish DPA found the restaurant unlawfully processed personal data without a valid legal basis and failed to inform customers properly.

Why this matters

This case serves as a warning to businesses to regularly review the legal basis for data collection and ensure transparency with customers. It highlights the importance of clear communication and valid consent in data processing activities.

GDPR Articles Cited

Art. 13 GDPR
Art. 21 GDPR
Art. 6(1) GDPR
Spain enforcementAgencia Española de Protección de Datos actionsAll XASTRE DO PETO, S.L. actions
Full Legal Summary
Detailed

The Spanish DPA has imposed a fine of EUR 3,600 on XASTRE DO PETO, S.L. (restaurant). An individual had filed a complaint with the DPA due to the fact that the controller required them to fill out a form with their personal information for contact tracing purposes in the context of the Covid-19 pandemic. However, during its investigation, the DPA found that the legal basis for collecting the contact information had expired in the meantime and that the controller had therefore processed the data unlawfully. The DPA also found that the controller did not provide data subjects with sufficient information on data processing. The DPA further determined that the controller did not provide data subjects with an easy way to object to the processing of personal data.

Related Enforcement Actions (0)

No other enforcement actions found for XASTRE DO PETO, S.L. in ES

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

11 November 2022

Authority

Agencia Española de Protección de Datos

Fine Amount

€3,600

Enforcement Tracker ID

ETid-1491

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. XASTRE DO PETO, S.L. - Spain (2022). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: