HIGHCLIFFE ESTATES MARBELLA, S.L. – €8,000 Fine (Spain, 2021)

A law firm filed a complaint before the AEPD on 29 July 2020 against a real estate company for failing to comply with the GDPR on its corporate website (www.higclffeestates.com). The complaint was based: # Firstly, on the lack of information regarding the processing of data collected by the form of the website. # Secondly, on the fact that the image and personal data of one of the partners of the complainant's law firm was displayed without their consent. # Lastly, on the fact that the privacy policy of the company's website made reference to the derogated Data Protection Act from 1999. * Can the reference to a repealed law in the privacy policy be considered to constitute a breach of Article 13 of the GDPR? * Is the publication of a photograph and personal data without the data subject's express consent a violation of Article 6 (1) GDPR? The AEPD found that publishing the image of the data subject without his consent was a violation of Article 6 (1) GDPR, and decided to fine the controller €8000. Secondly, the AEPD decided that the lack of the necessary information and making reference to the derogated Data Protection Act was a violation of Article 13 GDPR and issued a warning to the controller. The AEPD took into account the following aggravating factors (Article 83 (2) GDPR) to determine the level of the sanction: * It is an intentional negligent action (art. 83 (2) (b) GDPR). * The AEPD became aware of the infringement through the complainant's filing of a complaint (Art. 83 (2) (h) GDPR).