Novates Alimentacion Madrid – €12,000 Fine (Spain, 2025)

A data subject returned a product to a store, Novates Alimentacion Madrid (controller), and was refunded too much money. Upon visiting the store again, the data subject was shown CCTV footage of the incident by a staff member of her previous interaction at the checkout. The staff member showed the data subject a recording of this footage taken on her personal mobile phone and sent it to the data subject via WhatsApp. In the video, other customers are visible, and the recording includes the voice of a staff member who remarks “that’s where the failure was”. On 26 April 2024, the data subject filed a complaint with the AEPD (Spanish DPA). The DPA found that the controller had infringed Article 32 GDPR in failure to implement appropriate technical and organisational security measures in respect of the collection and dissemination of the footage. The DPA found that the fact that the recording of the footage taken on the staff member’s mobile phone evidenced that CCTV footage could be accessed by staff members with no responsibility for the security of the store. The DPA also noted that the CCTV system allowed for the recording of footage by a secondary device and was critical of the use of WhatsApp as a means to transfer the footage. Finally, the DPA highlighted that the footage in question included the personal data of not only the data subject, but of other customers in the store with no effort made to deidentify those data subjects before disseminating the footage. In determining the appropriate sanction to be imposed, the DPA was influenced by the stark lack of diligence in the protection of personal data undergoing processing by the controller, as well as its high turnover. The DPA initially set the fine at €20,000. However, pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the DPA informed the controller that it may acknowledge its responsibility for the alleged violations and/or make a voluntary payment of the proposed fine. Each