Club Rapido de Bouzas – €1,000 Fine (Spain, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Club Rapido de Bouzas left a box full of personal documents about young players in a public bin. This careless mistake violated data protection rules by failing to keep personal information secure. The club was fined €600 for not having proper security measures in place.
What happened
Club Rapido de Bouzas disposed of a box containing personal information about its players in a public area.
Who was affected
Young players whose personal information, including names and photographs, was found in the box.
What the authority found
The Spanish Data Protection Authority ruled that the club violated Article 5(1)(f) GDPR by not implementing adequate security measures.
Why this matters
This case highlights the importance of proper data handling and security for organizations. Clubs and businesses should ensure they have strong measures to protect personal information to avoid similar penalties.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
On the 11th of October 2024, an individual found a box in a bin outside of the playing field of Club Rapido de Bouzas (the controller) on a public road. The box contained hundreds of documents detailing the ID numbers, names and surnames, addresses and photographs of their players (who were minors). In total, 1,444 cards identifying data subjects by name and photograph were found in the box. The club had a “cleaning day” and claimed that this box was disposed of in the field in error. The individual (a father of one of the players) reported the matter to the police, and subsequently filed a complaint with the AEPD (Spanish DPA). On December 19th 2024, the DPA initiated their investigation. The DPA were critical of the controller for firstly allowing the box containing the documents to be erroneously identified as something which could be disposed of in such a manner, and secondly, that no procedure existed whereby the person who disposed of them could be identified. The DPA also noted that the fact that the negligent action was committed by an employee or third party did not absolve the club of responsibility for the incident. Accordingly, the DPA found that the club had violated Article 5(1)(f) GDPR, requiring the controller to implement appropriate technical and organizational security measures to ensure the security of processing. The DPA initially set the fine at €1,000 but pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the DPA informed the controller that it may acknowledge its responsibility for the alleged violations and/or make a voluntary payment of the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €600. The controller was also ordered to communicate to the DPA the adoption of technical and organizational measures to ensure the confidentiality of persona
Related Enforcement Actions (0)
No other enforcement actions found for Club Rapido de Bouzas in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
17 March 2025
Authority
Agencia Española de Protección de Datos
Fine Amount
€1,000
GDPRhub ID
gdprhub-9032About this data
Cite as: Cookie Fines. Club Rapido de Bouzas - Spain (2025). Retrieved from cookiefines.eu
Last updated: