CECOSA Hipermercados SL – Court Ruling (Spain, 2021)

On 2019, the Spanish DPA (AEPD) [https://www.aepd.es/es/documento/ps-00336-2018.pdf fined a supermarket chain €100,000] for not implementing adequate measures to prevent the leakage of one of their security videos, that involved images from a well-known politician. This AEPD decision was appealed before the Spanish National High Court (AN). The AN concluded that the sanctioning proceeding carried out by the AEPD had not respected the procedural law for sanctioning proceedings nor the ethos of the right to effective judicial protection enshrined in the Spanish Constitution. According to the general principles of the procedural law for sanctioning proceedings, any defendant has the right to a trial period, a draft resolution, and a period for allegations, that the AEPD did not grant to the controller, as they did not respond to the initial notification. Additionally, the AEPD, in their initial assessment, only contemplated the violation of Article 9 (security of the data) of the [https://www.boe.es/buscar/act.php?id=BOE-A-1999-23750 former Spanish Data Protection Act], while in their resolution they also found a violation of Article 4 (quality of the data), but did not inform the controller about the allegations against them pursuant to the latter Article. Furthermore, the DPA conducted an on-site investigation on different premises than where the problem had originated - in order to assess and verify the security protocol of the controller - but did not inform the controller that they could assess other infringements in those other premises. According to Article 24 of the Spanish Constitution, defendants shall have the right to legal defence, to be informed about the allegations made against them, and to have the opportunity to prove themselves innocent, with whatever means of evidence. Also, according to Article 122(1) [https://www.boe.es/buscar/act.php?id=BOE-A-2008-979 Spanish DPA Bylaw], the DPA should carry out investigation activities that allow them t