MALAGATROM, S.L.U. – €4,000 Fine (Spain, 2021)

A data subject bought a product from Malagatrom, a vendor in Amazon. The product was defective, so the subject made a claim and also posted a negative review in Malagatrom's page. The controller, Malagatrom, threatened the data subject to publish their personal data if they didn't take away the negative review on their page. Since the data subject didn't do as asked, the controller published their name, surnames, address, phone number, their husband's name and their phone company's name. As the Spanish DPA (AEPD) noted, the controller had done the same several times. The AEPD determined that the controller had processed personal data without consent, therefore violating Article 6(1) GDPR. While the initial processing of the personal data was justified for the performance of a contract, and therefore based on Article 6(1)(b), the subsequent processing for making public the personal data of the data subject had no legal basis, as it was no necessary for the fulfillment of the initial contract. The AEPD also found a breach of the confidentiality principle, since the data provided by the data subject were only meant to be processed within the commercial agreement both had, and not to be made publicly available. However, the DPA considered that since both violations came from the same facts, in accordance with the criminal law principles that are applicable to sanctioning procedures, they could only sanction the controller for the original and most serious violation, which is the infringement of Article 6 GDPR. For this, the AEPD fined the controller €4000. In order to determine the amount, the DPA took into account the intentionality of the behaviour, the nature of the infringement, the nature of the harm made to the data subject, the means for the infringement, which implies public access, and the categories of data disclosed. As a mitigating factor the DPA took into account the small size of the controller.