HERTZ DE ESPAÑA, S.L. – Complaint Upheld (Spain, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Hertz España mistakenly sent a customer's email address personal information about fines meant for someone else. The Spanish data protection authority found Hertz didn't have strong enough security measures to prevent this mistake. This case reminds businesses to ensure their data handling processes are secure and accurate.
What happened
Hertz España sent emails containing another person's fine details to the wrong email address.
Who was affected
A customer of Hertz España who received emails intended for a third party.
What the authority found
The Spanish data protection authority found Hertz España failed to protect personal data, violating GDPR by allowing unauthorized access.
Why this matters
This case emphasizes the importance of having strong data security measures to prevent unauthorized data access. Businesses should regularly review and improve their data handling practices to avoid similar errors.
GDPR Articles Cited
National Law Articles
On 5 July 2019 the data subject received an e-mail from Hertz España, a rental vehicle provider (the controller), containing information about monetary fines. These fines were directed at a third party, but sent to the data subject's e-mail address. Consequently, the data subject complained to the controller about this on the same day. In turn, the controller assured them on the 9 July 2019 that a rectification of the data had happened. However, the data subject received another e-mail directed at the third party on 29 July 2019. On the same day, the data subject submitted a complaint to the German data protection authority, which relayed it to the AEPD, the Spanish data protection authority. The complete deleting of the data subject's data from the third party's file was only achieved on 30 July 2023. The AEPD started an investigation and later initiated penalty proceedings. In its defense, the controller argued that the third party indicated the e-mail address of the data subject as their own themselves and that the error was most likely not made by an employee of the controller. Furthermore, the controller highlighted the uniqueness of the case and stated that it was a minor error with no lasting damage that was rectified as soon as possible. The controller also added that the data subject themselves only put the respective e-mail address into the controller's database on 7 February 2020, meaning the controller could not have confused the e-mail addresses of the data subject and the third party in 2019. The AEPD held that the controller violated Article 5(1)(f) GDPR by giving the data subject access to personal data of the third party, thus giving way to sanctions according to Article 83(5)(a) GDPR. Furthermore, the AEPD held that the controller also breached Article 32 GDPR as the technical and organisational measures taken by the controller were considered insufficient. The AEPD assumed that with appropriate measures a timely rectification of the data duri
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for HERTZ DE ESPAÑA, S.L. in ES
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. HERTZ DE ESPAÑA, S.L. - Spain (2022). Retrieved from cookiefines.eu
Last updated: