Atrium Lex SFC – €100,000 Fine (Spain, 2024)

The data subject was an investor with the controller, Atrium Lex SFC; a company which specialises in real estate investment projects. On 28/06/2022, the data subject requested information about his portfolio from the controller. In their response, the controller requested a copy of the data subject’s DNI (national identity card), requesting this without providing any information as to how this data would be processed. They requested that the copy of the identity card be scanned and sent to them via email. Following an email exchange with the data subject, the controller continued to request the DNI via email, offering no information as to the nature of the processing. On 20/05/2023, the data subject filed a complaint with the Spanish DPA (AEPD) against (the controller). The data subject complained that they were not informed about the processing, that they were provided with no privacy policy from the controller, and, that email is an unsecure and inappropriate medium for the provision of a scanned identity document. The controlled initially failed to respond to the AEPD’s request for a response. When they did, they claimed that as the sole administrators of the companies in which the data subject had invested, the requiring of the data subject’s DNI was a necessary measure to ensure that of access to investment-related information was limited to investors. They denied having breached data protection law and stated that they would implement the AEPD’s guidelines and improve their internal processes. The AEPD opened a formal investigation on 20/08/2023. The APED found that the controller had made two violations of the GDPR. Firstly, it was found that the controller had failed to adequately inform the data subject about the processing in question, in violation of Articles 5(1)(a) & 13 GDPR. This was due to the fact that the controller had failed to provide the data subject about the processing when requesting his DNI. The controller also did not have a privacy po