GSMA Limited – €600,000 Fine (Spain, 2024)

€600,000Agencia Española de Protección de Datos31 May 2024Spain
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

GSMA Limited has been fined €600,000 by Spain's data protection authority for requiring supplier employees to upload proof of COVID-19 vaccination without proper legal backing. This matters because it highlights the importance of having a clear legal basis for processing personal data. Companies should ensure they inform users properly about how their data is used.

What happened

GSMA Limited required employees of its suppliers to register and upload proof of vaccination against COVID-19 without a valid legal basis.

Who was affected

Employees of GSMA's suppliers who were asked to provide vaccination proof.

What the authority found

The authority found that GSMA lacked a valid legal basis for processing the personal data, violating GDPR requirements.

Why this matters

This case emphasizes that companies must have a clear legal basis for data processing and adequately inform users. It serves as a reminder for businesses to review their data handling practices.

GDPR Articles Cited

AI-verified

Art. 14(GDPR)
Art. 6(1) GDPR
Art. 9(2) GDPR
View original scraped data
Art. 6(1) GDPR
Art. 9(2) GDPR
Art. 14 GDPR

Original data from scraper before AI verification against source document.

Source verified 6 March 2026
verified correct
Spain enforcementAgencia Española de Protección de Datos actionsAll GSMA Limited actions
Full Legal Summary
Detailed

The Spanish DPA has imposed a fine of EUR 600,000 on GSMA Limited. In 2022, GSMA Limited required employees of its suppliers to register on an online platform and upload proof of vaccination against COVID-19. One of the data subjects filed a complaint with the DPA as they considered the data processing to be unlawful. GSMA referred to a legal obligation and public interest, but could not provide a specific legal basis. The DPA found that less invasive safeguards would have been possible and that the affected workers were not sufficiently informed about the data processing.

Related Enforcement Actions (0)

No other enforcement actions found for GSMA Limited in ES

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

31 May 2024

Authority

Agencia Española de Protección de Datos

Fine Amount

€600,000

Enforcement Tracker ID

ETid-2545

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. GSMA Limited - Spain (2024). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: