OCI CINE, S.L. – €18,000 Fine (Spain, 2025)

On 5 June 2024, a data subject filed a complaint with the DPA against OCI CINE, S.L. (a cinema, the controller), regarding the automatic inclusion of another customer's personal data when purchasing movie tickets through the controller’s app.   Between 7 April 2024 and 6 August 2024, eight users of the controller's app (data subjects) experienced a failure in its systems that caused a coincidence of identifiers among customers. Data subjects were still linked to the standard user ID initially assigned during account registration on their first login on the controller's app, instead of receiving a personal user ID on their second login. Therefore, upon their next login, data subjects could view personal data of customers assigned to the initially standard user ID, such as name, surname, email address, telephone number, and Fidelity card number. The controller argued that it had measures in place to ensure compliance with data protection laws. Among those measures, the controller had requested and later accepted the recommendation of a consultancy company on the failure in its systems. Furthermore, the controller had used a toolAsesora Brecha, https://www.aepd.es/en/guides-and-tools/tools/asesora-brecha in order to determine whether it had the obligation to notify the DPA about the issue on its app. The tool exempted the controller from the notification. On 5 September 2024, the complaint was allowed to proceed. The DPA found a breach of the data accuracy principle (Article 5(1)(d) GDPR). The DPA held that the controller did not maintain accurate personal data of eight users and did not implement any technical or organizational measures to ensure accuracy or mitigate inaccurate factors. This was also a violation of Article 32 GDPR. The DPA fined the controller €30,000 in total; €4,000 for the violation of Article 5(1)(d) GDPR, and €26,000 for the violation of Article 32 GDPR. Pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the DPA