GSMA Limited

€600,000

Insufficient legal basis for data processing

Decision Date

May 31, 2024

Authority

Spanish Data Protection Authority (aepd)

ES

Sector

Individuals and Private Associations

Country

ES

Law

GDPR

Status

FINAL

Description

The Spanish DPA has imposed a fine of EUR 600,000 on GSMA Limited. In 2022, GSMA Limited required employees of its suppliers to register on an online platform and upload proof of vaccination against COVID-19. One of the data subjects filed a complaint with the DPA as they considered the data processing to be unlawful. GSMA referred to a legal obligation and public interest, but could not provide a specific legal basis. The DPA found that less invasive safeguards would have been possible and that the affected workers were not sufficiently informed about the data processing.

Legal Citations

Art. 6 (1)Art. 9 (2)Art. 14

Issues & Violations

Insufficient legal basis for data processing
View Official Document
Back to Fines Database
Previous Fine
Spanish Data Protection Authority (aepd) - PILLOW ...
Next Fine
Data Protection Authority of Hamburg (HmbBfDI) - C...

Stay Updated on Privacy Enforcement

We respect your privacy. One email per month, no spam, unsubscribe anytime.