CAMERDATA – €260,000 Fine (Spain, 2025)

Institut per a la Cultura Democratica a L’era Digital (Institute for Democratic Culture in the Digital Era, also known as Xnet) is a digital rights non-profit organisation. Xnet brought a complaint to the DPA on 27 December 2022, regarding the processing of personal data of self-employed people by public authorities as well as private companies such as CAMERDATA (the controller). The controller is a company that provides commercial and financial information on Spanish enterprises. Their database is sourced mainly from the Chamber of Commerce (who receives the data from the Tax Authority) based on a contract. This includes data subjects’ Tax Identification Number (NIF), which is decrypted by the controller. The Chamber of Commerce, therefore, argued that the Tax Identification Number is not publicly available. According to Xnet, once someone registers as self-employed with the Tax Agency their personal data is treated as information of professional interest. This means that if someone works from home, their personal address is easily accessible on the Internet. Financial information and legal incidents (including their credit scores and likelihood of nonpayment) are also available in some cases. This personal data can be processed and sold on the Internet by private companies, such as the controller. The controller argued that their legal basis of processing data from the Chamber of Commerce for third parties is legitimate interest (Article 6(1)(f) GDPR). This legal basis is presumed to be met in accordance with [https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673#a1-11 Article 19(2) of the national data protection law (LOPDGDD)]. This article applies if the controller processes data of individual entrepreneurs in their professional rather than private capacity. In addition, the data is obtained from public sources. The DPA first clarified that the GDPR does not exclude self-employed people in its scope. In addition, the Chamber of Commerce has the legal obliga