Estudio Alcazar del Genil – €40,000 Fine (Spain, 2025)

An employee of a real estate agency (controller) was fired after refusing to follow the orders of his employers. The controller had asked him to take photos and videos of the mailboxes of the owners of the properties the controller was engaged with in order to build a database. The information collected would have been comprised of the street, block number, floor, and the names of the residents in the property. The controller was not intending to ask for consent for this processing, and after refusing to comply, citing data protection concerns, the employee was fired. The employee filed a complaint with the AEPD (Spanish DPA) on 9 May 2023. During the investigation, the controller had tried to argue that they had not asked the employee to take such photos, but the employee provided extracts of a conversation over text which demonstrated that they had. The controller also submitted that the source of the information came from a public directory and not, as alleged, the taking of photos of mailboxes by their employees. The DPA found that the controller had infringed Article 6(1) GDPR. The DPA rejected the controller’s claims of having sourced the information from a public directory, reasoning that such directory does not include the floor number of the apartments, as was present in the controller’s database. The DPA also found that the controller had infringed Article 14 GDPR in failing to provide transparent information to the data subject where their data has not been obtained from them, as the data subjects were not informed their data would be included in the database. In determining the appropriate sanction, the DPA was influenced by the fact that the processing operation in question was not isolated in nature (it seemed to be standard practice at the organisation) and the significant extent of the negligence present in the controller’s actions. The DPA initially set the fine at €20,000 but pursuant to Law 39/2015, a Spanish law concerning administrative