INMOPISO ZARAGOZA, S.L. – €2,000 Fine (Spain, 2021)

A data subject filed a complaint before the Spanish DPA (AEPD) against a real state company, that had allegedly not provided the information required by Article 13 GDPR when they formalized the first payment for an apartment, for which the data subject had provided personal data. The AEPD determined that the collection of data for entering a real state contract entails processing of personal data. Therefore, the controller had the obligation to provide the information required by Article 13 GDPR. However, the controller had not provided the data subject such information. The controller only mentioned the former Data Protection Act from 1999, and did not inform about the rights that the data subject is entitled to under the GDPR. Hence, the AEPD fined the controller €2000, reduced to €1200 because of an early payment and recognition of responsibility, for a violation of Article 13 GDPR. In order to determine the amount of the fine, the DPA took into account, the absence of previous sanctions on the controller, the lack of benefit obtained by the controller and the small size of the controller.