Yet again Spain’s Data Protection Agency has laid down a penalty benchmark guaranteed to put the fear of the almighty into all those processing data in Europe.
Topic: Data Protection
Who: Telefonica Espana and the Spanish Data Protection Agency
Where: Madrid
When: January 2002
What happened:
A subscriber to Telefonica Espana, (the Spanish BT), had opted out of the use of his data for anything other than the provision of the telephony service for which he was subscribing. Despite this, Telefonica Espana ("TE") proceeded to share that individual's data with one of its subsidiaries, Telefonica Data. The individual in question then reported TE to the Spanish Data Protection Agency, who, following an investigation, proceeded to impose a fine on TE of no less than €840,000, or well over £530,000 at current exchange rates.
Why this matters:
This was the third time that TE had been fined for data protection law infractions. The most recent incident before this was in April 2001, with a fine of €120,200 following security problems with its portal relating to the personal data of more than 3,000 of its subscribers.
The Spanish Data Protection Agency clearly has much bigger and sharper teeth than the UK's Information Commission, but the essential illegality remains the same, and it is no excuse that the company to which personal data has been disclosed is part of the same group as the disclosing company. Another lesson to be learnt here is that whether or not TE kept comprehensive records in this particular case, it is crucial that the "back end" of data collection is properly husbanded, so that a comprehensive record is always available of which individuals "opted in" and which individuals "opted out".