Estudio Alcazar del Genil – €40,000 Fine (Spain, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A real estate agency in Spain fired an employee for refusing to take photos of residents' mailboxes to build a database without consent. The Spanish data protection authority found this practice illegal because the agency didn't have a valid reason to collect that personal information. This case highlights the importance of obtaining consent when handling personal data.
What happened
The real estate agency collected personal data from residents without their consent by asking an employee to take photos of their mailboxes.
Who was affected
Residents whose mailbox information was photographed and included in the agency's database were affected.
What the authority found
The Spanish data protection authority ruled that the agency violated GDPR by processing personal data without a valid legal basis.
Why this matters
This decision emphasizes that companies must obtain consent before collecting personal data. It serves as a reminder for businesses to review their data collection practices to ensure compliance with privacy laws.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
An employee of a real estate agency (controller) was fired after refusing to follow the orders of his employers. The controller had asked him to take photos and videos of the mailboxes of the owners of the properties the controller was engaged with in order to build a database. The information collected would have been comprised of the street, block number, floor, and the names of the residents in the property. The controller was not intending to ask for consent for this processing, and after refusing to comply, citing data protection concerns, the employee was fired. The employee filed a complaint with the AEPD (Spanish DPA) on 9 May 2023. During the investigation, the controller had tried to argue that they had not asked the employee to take such photos, but the employee provided extracts of a conversation over text which demonstrated that they had. The controller also submitted that the source of the information came from a public directory and not, as alleged, the taking of photos of mailboxes by their employees. The DPA found that the controller had infringed Article 6(1) GDPR. The DPA rejected the controller’s claims of having sourced the information from a public directory, reasoning that such directory does not include the floor number of the apartments, as was present in the controller’s database. The DPA also found that the controller had infringed Article 14 GDPR in failing to provide transparent information to the data subject where their data has not been obtained from them, as the data subjects were not informed their data would be included in the database. In determining the appropriate sanction, the DPA was influenced by the fact that the processing operation in question was not isolated in nature (it seemed to be standard practice at the organisation) and the significant extent of the negligence present in the controller’s actions. The DPA initially set the fine at €20,000 but pursuant to Law 39/2015, a Spanish law concerning administrative
Related Enforcement Actions (0)
No other enforcement actions found for Estudio Alcazar del Genil in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
7 February 2025
Authority
Agencia Española de Protección de Datos
Fine Amount
€40,000
GDPRhub ID
gdprhub-9175About this data
Cite as: Cookie Fines. Estudio Alcazar del Genil - Spain (2025). Retrieved from cookiefines.eu
Last updated: