CARTONAJES BAÑERES, S.A. – €220,000 Fine (Spain, 2024)

€220,000Agencia Española de Protección de Datos22 November 2024Spain
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

CARTONAJES BAÑERES, S.A. was fined €220,000 for failing to respond properly to a former employee's request for their personal data. This is important because it shows that companies must respect employees' rights to access their information and manage biometric data responsibly. The case reinforces the need for clear data access procedures.

What happened

CARTONAJES BAÑERES, S.A. did not properly respond to a former employee's request for access to their personal data.

Who was affected

A former employee of CARTONAJES BAÑERES, S.A.

What the authority found

The Spanish Data Protection Authority found that the company failed to comply with the employee's data access request and did not assess the risks of its biometric attendance system.

Why this matters

This fine emphasizes the importance of having clear procedures for data access requests and conducting risk assessments for biometric systems. Companies should ensure they are compliant to avoid similar penalties.

GDPR Articles Cited

AI-verified

Art. 15(GDPR)
Art. 35(GDPR)
View original scraped data
Art. 15 GDPR
Art. 35 GDPR

Original data from scraper before AI verification against source document.

Source verified 6 March 2026
date discrepancy
Spain enforcementAgencia Española de Protección de Datos actionsAll CARTONAJES BAÑERES, S.A. actions
Full Legal Summary
Detailed

The Spanish DPA imposed a fine of EUR 220,000 on CARTONAJES BAÑERES, S.A. following a complaint filed by a former employee. The employee had submitted a request to the controller for access to their personal data, particularly inquiring about the purpose and categories of data held. However, they did not receive a proper response. The employee also stated that the controller used a biometric facial recognition system that allowed employees to clock in and out, but did not offer an alternative method of recording attendance. During its investigation, the DPA found that the controller had failed to properly comply with the data subject's request for access to their personal data. Furthermore, the DPA found that the controller had failed to carry out a risk assessment of the biometric system, which would have been necessary considering the risks that the processing of biometric data poses to data subjects.

Related Enforcement Actions (0)

No other enforcement actions found for CARTONAJES BAÑERES, S.A. in ES

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

22 November 2024

Authority

Agencia Española de Protección de Datos

Fine Amount

€220,000

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. CARTONAJES BAÑERES, S.A. - Spain (2024). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: