Asociación Escuela Nacional de Equitación – €4,000 Fine (Spain, 2024)

The controller, a horse riding school, has a profile on Google where customers can write reviews. Following some negative comments written by customers, the controller replied to them. Since the controller believed that these reviews were defaming its reputation, it referred to the possibility of suing the authors of the reviews in court, like it had already successfully done with the data subject. In doing so, the controller explicitly mentioned the name of the data subject. The data subject, having noticed that their name appeared in this replies, filed a complaint with the DPA. They argued that the judgement at hand was the result of a court proceeding initiated by another entity and that they had never sent the controller this judgement. First, the DPA held that the controller had shared the name of the data subject on its Google profile without the proper legal basis. Therefore, it found a violation of Article 6 GDPR. Secondly, the DPA noted that it is obvious that the controller has personal data of the data subject. Moreover, the controller has not proved that it had collected that data directly from the data subject. Therefore, the controller should have given the data subject the information set by Article 14 GDPR. Since it did not do so, the DPA found a violation of this provision. On these grounds, the DPA issued a fine of €4,000 and ordered the controller to delete the data subject’s data.