CÁMARA DE COMERCIO, INDUSTRIA, SERVICIOS Y NAVEGACIÓN DE ESPAÑA (Chamber of Commerce) – €500,000 Fine (Spain, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Institut per a la Cultura Democratica a L’era Digital (also known as Xnet) is a digital rights non-profit organisation. Xnet filed a complaint with the DPA on 27 December 2022, regarding the processing of personal data of self-employed people by both public authorities and private companies. One of the public authorities investigated by the DPA was the Chamber of Commerce (the controller), who received data from the Tax Authority based on a contract. The controller maintained a publicly available census of information related to Spanish enterprises (including natural persons). The controller also provided private companies (such as Camerdata) with a database containing additional information, such as self-employed persons’ Tax Identity Number (NIF in Spanish). According to Xnet, once someone registers as self-employed with the Tax Agency their personal data is treated as information of professional interest. This means that if it matches private information (e.g. if someone works from home), their data such as personal address is easily accessible on the Internet. This means that if someone works from home, their personal address is easily accessible on the Internet. Financial information and legal incidents (including their credit scores and likelihood of nonpayment) are also available in some cases. This personal data can be processed and sold on the Internet by private companies. The controller argued that its processing of personal data was lawful; it maintained the publicly available census under legal obligation (Article 6(1)(c) GDPR) and public interest (Article 6(1)(e) GDPR). It also relied on legitimate interest (Article 6(1)(f) GDPR) to transfer the data to third parties. Finally, the controller argued that it did not provide private companies with data subjects’ NIF, but instead provided this data in an encrypted form that was then decrypted by the recipients. These recipients were the controllers of the personal data, as they did not receive instructi
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
Institut per a la Cultura Democratica a L’era Digital (also known as Xnet) is a digital rights non-profit organisation. Xnet filed a complaint with the DPA on 27 December 2022, regarding the processing of personal data of self-employed people by both public authorities and private companies. One of the public authorities investigated by the DPA was the Chamber of Commerce (the controller), who received data from the Tax Authority based on a contract. The controller maintained a publicly available census of information related to Spanish enterprises (including natural persons). The controller also provided private companies (such as Camerdata) with a database containing additional information, such as self-employed persons’ Tax Identity Number (NIF in Spanish). According to Xnet, once someone registers as self-employed with the Tax Agency their personal data is treated as information of professional interest. This means that if it matches private information (e.g. if someone works from home), their data such as personal address is easily accessible on the Internet. This means that if someone works from home, their personal address is easily accessible on the Internet. Financial information and legal incidents (including their credit scores and likelihood of nonpayment) are also available in some cases. This personal data can be processed and sold on the Internet by private companies. The controller argued that its processing of personal data was lawful; it maintained the publicly available census under legal obligation (Article 6(1)(c) GDPR) and public interest (Article 6(1)(e) GDPR). It also relied on legitimate interest (Article 6(1)(f) GDPR) to transfer the data to third parties. Finally, the controller argued that it did not provide private companies with data subjects’ NIF, but instead provided this data in an encrypted form that was then decrypted by the recipients. These recipients were the controllers of the personal data, as they did not receive instructi
Related Enforcement Actions (0)
No other enforcement actions found for CÁMARA DE COMERCIO, INDUSTRIA, SERVICIOS Y NAVEGACIÓN DE ESPAÑA (Chamber of Commerce) in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
15 April 2025
Authority
Agencia Española de Protección de Datos
Fine Amount
€500,000
GDPRhub ID
gdprhub-9485About this data
Cite as: Cookie Fines. CÁMARA DE COMERCIO, INDUSTRIA, SERVICIOS Y NAVEGACIÓN DE ESPAÑA (Chamber of Commerce) - Spain (2025). Retrieved from cookiefines.eu
Last updated: