Marbella Resorts S.L.

Description

The Spanish DPA (AEPD) has imposed a fine of EUR 7,000 on Marbella Resorts S.L.. In the case at hand, the data subject had booked a room in the hotel complex of the controller. On the day of the data subject's arrival, a concierge made copies of the data subject's data. However, the concierge was not authorized to do so. He was solely authorized to verify the reservation and then to give the guests the keys to their room. After providing the controller with his personal data, the data subject discovered that his personal data had been published on a page with online content for adults. In this regard, the DPA found a lack of diligence on the part of the controller in managing the personal data of its customers and thus a violation of Article 28 (3) GDPR. The fine is composed proportionally of EUR 2,000 for a breach of Art. 22(2) LSSI and 5,000 EIR for a breach of Art. 28(3) GDPR. However, the original fine of EUR 7,000 was reduced to EUR 4,200 due to the immediate payment and admission of guilt.