CARTONAJES BAÑERES, S.A. – €220,000 Fine (Spain, 2024)

€220,000Agencia Española de Protección de Datos22 November 2024Spain
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

The Spanish DPA imposed a fine of EUR 220,000 on CARTONAJES BAÑERES, S.A. following a complaint filed by a former employee. The employee had submitted a request to the controller for access to their personal data, particularly inquiring about the purpose and categories of data held. However, they did not receive a proper response. The employee also stated that the controller used a biometric facial recognition system that allowed employees to clock in and out, but did not offer an alternative method of recording attendance. During its investigation, the DPA found that the controller had failed to properly comply with the data subject's request for access to their personal data. Furthermore, the DPA found that the controller had failed to carry out a risk assessment of the biometric system, which would have been necessary considering the risks that the processing of biometric data poses to data subjects.

GDPR Articles Cited

AI-verified

Art. 15(GDPR)
Art. 35(GDPR)
View original scraped data
Art. 15 GDPR
Art. 35 GDPR

Original data from scraper before AI verification against source document.

Source verified 6 March 2026
date discrepancy
Spain enforcementAgencia Española de Protección de Datos actionsAll CARTONAJES BAÑERES, S.A. actions
Full Legal Summary

The Spanish DPA imposed a fine of EUR 220,000 on CARTONAJES BAÑERES, S.A. following a complaint filed by a former employee. The employee had submitted a request to the controller for access to their personal data, particularly inquiring about the purpose and categories of data held. However, they did not receive a proper response. The employee also stated that the controller used a biometric facial recognition system that allowed employees to clock in and out, but did not offer an alternative method of recording attendance. During its investigation, the DPA found that the controller had failed to properly comply with the data subject's request for access to their personal data. Furthermore, the DPA found that the controller had failed to carry out a risk assessment of the biometric system, which would have been necessary considering the risks that the processing of biometric data poses to data subjects.

Related Enforcement Actions (0)

No other enforcement actions found for CARTONAJES BAÑERES, S.A. in ES

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

22 November 2024

Authority

Agencia Española de Protección de Datos

Fine Amount

€220,000

Enforcement Tracker ID

ETid-2530

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. CARTONAJES BAÑERES, S.A. - Spain (2024). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: