Conseguridad SL – €50,000 Fine (Spain, 2020)

Conseguridad SL (a private security company) set up a video surveillance system recording any individual that enters and work in their premises. However, the company does not have a data protection officer, meaning that no GPDR rights can be exercised in that respect. Conseguridad SL did not respond when notified by the Spanish DPA. Does the lack of a data protection officer in a company result in a breach of Article 37 GDPR? The Spanish DPA (AEPD) found that Conseguridad SL had violated Article 37(1)(b) GDPR by not having designated a data protection officer (DPO). The absence of a DPO also resulted in a breach of Article 34(1)(ñ) and 34(3) of the national law, "LOPPDGDD". The DPA specified that a DPO is necessary where a private security company processes personal data on a large scale, such as Conseguridad SL. On the question of video surveillance, the Spanish DPA mentioned that the installation of video cameras are not necessarily illegal, so long as they have an information notice attached (Article 22(4) LOPDGDD). Conseguridad SL was fined €50000 for not having a DPO.