COLEGIO VIRGEN DE EUROPA, S.L. – €24,000 Fine (Spain, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The controller is a school named "COLEGIO VIRGEN DE EUROPA, S.L."; the data subject is a parent of an underage student of this school. On 29 June 2022, the data subject's parents learned from law enforcement that a pedestrian found a camera in a backpack on the street, which contained footage of their underage daughter. Law enforcement also found footage of the data subject in the house of a teacher from the school. Several of the pictures depicted the data subject's daughter in swimwear. On 27 September, the data subject filed a complaint with the DPA. According to the complaint, the pictures were taken without the awareness or consent of the data subject and with no regard for basic file custody protocols. Furthermore, the controller had violated the principle of transparency by taking pictures without informing the affected parties; this prevented them from exercising their rights regarding their personal data. During its investigations, the DPA asked the school and the teachers whether they can photograph students during school and when teachers may do so. The controller responded to the DPA's requests on 27 February 2024 by supplying their consent form, which was incorporated in the enrollment form and collected annually. The form stated that the purpose of taking photos and/or audiovisual recordings was for promotional reasons (e.g. including them in the school's website, social media or yearbooks), and for archiving purposes. The form, however, did not include further information such as the retention period of the footage, or the possibility of withdrawing consent. The controller claimed that educational centres can take pictures of students during school activities with an educational function and that consent is lawfully obtained in the remaining activities. Teachers were allowed to take pictures of students in the context of the subjects and programs assigned to them; the recording of images did not grant them unlimited access, and the school specifi
GDPR Articles Cited
The controller is a school named "COLEGIO VIRGEN DE EUROPA, S.L."; the data subject is a parent of an underage student of this school. On 29 June 2022, the data subject's parents learned from law enforcement that a pedestrian found a camera in a backpack on the street, which contained footage of their underage daughter. Law enforcement also found footage of the data subject in the house of a teacher from the school. Several of the pictures depicted the data subject's daughter in swimwear. On 27 September, the data subject filed a complaint with the DPA. According to the complaint, the pictures were taken without the awareness or consent of the data subject and with no regard for basic file custody protocols. Furthermore, the controller had violated the principle of transparency by taking pictures without informing the affected parties; this prevented them from exercising their rights regarding their personal data. During its investigations, the DPA asked the school and the teachers whether they can photograph students during school and when teachers may do so. The controller responded to the DPA's requests on 27 February 2024 by supplying their consent form, which was incorporated in the enrollment form and collected annually. The form stated that the purpose of taking photos and/or audiovisual recordings was for promotional reasons (e.g. including them in the school's website, social media or yearbooks), and for archiving purposes. The form, however, did not include further information such as the retention period of the footage, or the possibility of withdrawing consent. The controller claimed that educational centres can take pictures of students during school activities with an educational function and that consent is lawfully obtained in the remaining activities. Teachers were allowed to take pictures of students in the context of the subjects and programs assigned to them; the recording of images did not grant them unlimited access, and the school specifi
Related Enforcement Actions (0)
No other enforcement actions found for COLEGIO VIRGEN DE EUROPA, S.L. in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
20 June 2025
Authority
Agencia Española de Protección de Datos
Fine Amount
€24,000
GDPRhub ID
gdprhub-9408About this data
Cite as: Cookie Fines. COLEGIO VIRGEN DE EUROPA, S.L. - Spain (2025). Retrieved from cookiefines.eu
Last updated: