Norconsulting – €15,000 Fine (Spain, 2023)

On 15 January 2020, Norconsulting (the controller), a human resources company established in Spain with contractual relations with various ad platform such as Linkedin, Infojobs or Xing AAA , sent an email to A.A.A., a data subject established in Germany (the data subject). The purpose of this email was to advertise targeted job offers to the data subject. On the same day, the data subject wrote back to the controller and requested: (i) access to the information under (Article 15(1)), (ii) deletion of the data (Article 17); (iii) communication to the recipients of these data (Article 19); and (iv) deletion of these data from the sites where they have been published (Article 17(2)). On 4 February 2020, the controller responded to the data subject, explaining that it had obtained the data subject’s contact through ad platforms to which the data subject was or had been, registered. The controller stated that it would delete the data subject’s email from its files. The data subject contacted the controller by email on 4 February, 15 March and 31 March 2020, stating that the response was not valid under the GDPR. On 31 March 2020, the data subject filed a complaint to the German DPA of Berlin on the matter. In accordance with Article 56(1) GDPR and in application of the procedural rules applicable to cross-border cases, the Berlin DPA transferred the case to the Spanish DPA, as lead supervisory authority. In the course of the proceedings, the controller claimed that it had obtained the data subject’s email address from contractual partners to which the data subject had agreed to share its data. The controller also stated that it deleted the data subject’s email address after their request. The Spanish DPA underlined that the focus of the legal proceedings was the exercise of the right of access and the right of erasure of the data subject, rather than the lawfulness of the processing carried out by the controller. Right of access The Spanish DPA found that the contr