SIGNALLIA MARKETING DISTRIBUTION, S.A. – €100,000 Fine (Spain, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Signallia was fined €100,000 by the Spanish data protection authority for not returning data to its client, EHR, after their contract ended. The delay in returning data caused significant issues for EHR, impacting their operations. This case emphasizes the importance of fulfilling contractual obligations regarding data management.
What happened
Signallia failed to return data to EHR as required after their business relationship ended.
Who was affected
EHR and its clients, who were affected by the inability to access necessary data.
What the authority found
The Spanish DPA ruled that Signallia violated GDPR by not returning or deleting data as instructed by EHR.
Why this matters
This decision highlights the critical role of data management in business contracts and the potential consequences of failing to comply. Companies must ensure they have clear processes for data transfer and deletion when contracts end.
GDPR Articles Cited
The company EHR, dedicated to tourism and hotelier services, hired another company, Signallia, dedicated to software and computing services, to manage their data and servers. The data processing agreement between them stated that Signallia had to give back EHR all data and copies obtained or processed for them, as their relationship ends. Accordingly, when EHR decided to move their servers to an internal place they instructed Signallia to return to them all their data. However, the processor did not follow the request and instead asked the controller to pay the debts they had with them. The controller argued that the processor had debt with them as well and that they had lodged a legal claim before the courts. The legal claim was targeted at getting back data, including those of the clients of their hotels. Even though the processor communicated to the controller that they would handle over the data, a month after such communication no data was received. Therefore, the controller lodged a complaint with the Spanish DPA (AEPD). Again, the processor offered the controller to handle the data over in a 5TB hard disk, which they did not do, alleging organizational problems. This behaviour caused huge losses to the controller, who could not access their servers and data during a long time. The DPA stated that the controller cannot exercise a right to access, which is a personal right that belongs to the data subject, and that the controller can only compel the processor to comply with its legal obligations. The DPA also remarked that the controller may leave a certain degree of discretion as to how best to serve the interests of the controller, allowing the processor to choose the most appropriate technical and organisational means. Ultimately, the DPA concluded that there had been a violation of Article 28(3)(g) GDPR, that obliges the processor, at the choice of the controller, to delete or return all the personal data, as well as existing copies, to the controller aft
Related Enforcement Actions (0)
No other enforcement actions found for SIGNALLIA MARKETING DISTRIBUTION, S.A. in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
17 August 2021
Authority
Agencia Española de Protección de Datos
Fine Amount
€100,000
GDPRhub ID
gdprhub-3918About this data
Cite as: Cookie Fines. SIGNALLIA MARKETING DISTRIBUTION, S.A. - Spain (2021). Retrieved from cookiefines.eu
Last updated: