TRABAJADORES DEL CENTRO INTEGRADO DE FORMACIÓN PROFESIONAL SOMESO – Complaint Upheld (Spain, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Spanish Data Protection Authority found that a regional education department didn't properly inform workers about a new biometric system. Although the system was legal, the workers weren't given clear information about how their data would be used. This case highlights the importance of transparency when handling sensitive data like biometrics.
What happened
A regional education department failed to inform workers clearly about a biometric identification system.
Who was affected
Workers at an educational center who were supposed to use the biometric system.
What the authority found
The Spanish authority concluded that the department violated GDPR by not providing clear information as required under Article 13.
Why this matters
This case underscores the need for organizations to be transparent about data processing, especially when using sensitive data like biometrics. It serves as a reminder to ensure clear communication with employees about data use.
GDPR Articles Cited
Entities Involved
A group of workers at a educational centre filed a complaint with the Spanish DPA (AEPD) against their regional Department for Public Education and Universities. The Department was in the process of implementing a biometric identification system for their workers. Such system was meant to be a voluntary way of identification for the teachers of the centre. The AEPD found that the controller had not properly informed the workers about the biometric system. When the workers asked about the information listed under Article 13 GDPR, they only received a generic answer saying that the personal data were being processed in accordance with the data protection law, and that the contracts made with the providers of the service were also compliant. The AEPD noted that the processing was not illegal. The controller had a legal basis for the processing (the performance of a contract), and was also relying in one of the exceptions from Article 9(2) GDPR, required for the processing of special categories of data: the processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment. Such obligations originate in the [https://www.boe.es/buscar/act.php?id=BOE-A-2015-11430 Spanish Workers' Statute]; its Article 20(3) allows the employer to use different methods of control and surveillance to verify that the employee effectively complies with their duties and obligations. However, the AEPD remarked that neither the information provided to the workers nor the answer to their latter request for such information were appropriate, specially in light of a processing of personal data of a sensitive nature, such as biometric data. The AEPD therefore concluded that the controller had violated Article 13 GDPR, by not providing the information listed by the Article to their workers. The AEPD only issued a warning to the controller. The authority took into account the actions that
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for TRABAJADORES DEL CENTRO INTEGRADO DE FORMACIÓN PROFESIONAL SOMESO in ES
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. TRABAJADORES DEL CENTRO INTEGRADO DE FORMACIÓN PROFESIONAL SOMESO - Spain (2021). Retrieved from cookiefines.eu
Last updated: