Club Rapido de Bouzas – €1,000 Fine (Spain, 2025)

On the 11th of October 2024, an individual found a box in a bin outside of the playing field of Club Rapido de Bouzas (the controller) on a public road. The box contained hundreds of documents detailing the ID numbers, names and surnames, addresses and photographs of their players (who were minors). In total, 1,444 cards identifying data subjects by name and photograph were found in the box. The club had a “cleaning day” and claimed that this box was disposed of in the field in error. The individual (a father of one of the players) reported the matter to the police, and subsequently filed a complaint with the AEPD (Spanish DPA). On December 19th 2024, the DPA initiated their investigation. The DPA were critical of the controller for firstly allowing the box containing the documents to be erroneously identified as something which could be disposed of in such a manner, and secondly, that no procedure existed whereby the person who disposed of them could be identified. The DPA also noted that the fact that the negligent action was committed by an employee or third party did not absolve the club of responsibility for the incident. Accordingly, the DPA found that the club had violated Article 5(1)(f) GDPR, requiring the controller to implement appropriate technical and organizational security measures to ensure the security of processing. The DPA initially set the fine at €1,000 but pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the DPA informed the controller that it may acknowledge its responsibility for the alleged violations and/or make a voluntary payment of the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €600. The controller was also ordered to communicate to the DPA the adoption of technical and organizational measures to ensure the confidentiality of persona