Securitas Direc España, S.A. – €50,000 Fine (Spain, 2023)

The data subject had contracted the controller to install a security device in their house. This device was equipped with motion detectors/camera that allowed monitoring of the location through a mobile application, along with other features such as remote control, sirens, key reader, smart keys, etc. During a burglary, the security device was destroyed. The data subject did not receive any notification. For this reason, the data subject made an access request to the controller, asking for their personal data. However, the controller denied the request. The data subject filed a complaint with the Spanish DPA, which confirmed that the controller had to facilitate their access to the data and ordered it to to comply with the request pursuant to Article 58(2)(c). After this decision, the controller provided a file with some of the requested data, but the data subject considered that the information was incomplete and incomprehensible and filed a new complaint. According to the data subject, the data did not include, for instance, the images captured by the device on the date of the invasion of their house. On the other hand, the controller claimed claimed that it just failed to provide technical activity logs used to control the performance of the device, since they are not personal data. The DPA highlighted that the definition of personal data provided for by Article 4(1) GDPR should not be interpreted in a restrictive manner. In the present case, it considered that all technical logs generated by the device, including those exclusively operated by employees of the controller to monitor its performance, constitute data related to the data subject. According to the DPA, the device was installed at the data subject's house, based on a contract signed by them, and contained a unique numerical identifier, which allowed the identification of the data subject. As a result, the DPA stated that all data generated by the device is personal and is covered by the right of