PONTI IP

NEWS

August 2, 2023

Personal data processing is not something to be taken lightly: the example of the 75,000 € fine for a selfie  

We have just opened August, i.e. the peak holiday season. Buying tickets, travelling, renting flats or hotel rooms, bookings, etc. An endless number of steps to take in order to be able to enjoy the long-awaited holidays. And a critical moment in the use of personal data, which is always requested when making eservations.

We must pay attention to what we are asked for and not take it lightly.

An example to illustrate this is the 75,000 euros fine imposed by the Spanish Data Protection Agency (AEPD) on a tourist rental management company (Marketing Accommodation Solutions) for excessive processing of personal data. The company in question demanded more data than necessary when managing its rentals, asking, by means of a form, for the postal address, telephone number, email address, ID photographed on both sides and even selfies of each of the people who were going to stay. Moreover, there was no possibility to decline the option to use the data to send offers and promotions.  

It all started when a user, through the online platform Airbnb, contacted the aforementioned company in order to find accommodation for a few days with her companions. Airbnb had set up a web page/app for online check-in, a compulsory procedure to formalise the handover of the keys of the flat. In order to carry out the check-in, all guests had to fill in a form in which they had to provide all the aforementioned data.   

One of the affected persons contacted the company in order to indicate that the data requested were excessive for a reservation. The company’s response indicated that the only data they had/needed were those provided by Airbnb, i.e. name and surname, telephone number and email address. However, in the check-in confirmation email, it was stated that the personal data would also be stored for future bookings, as well as to “keep you updated on our news, promotions and offers”. In addition, the company also defended that the rest of the data (copies of ID cards, for example) had been collected because, in Catalonia, it is compulsory to provide the police with travellers’ data.  

Infringement of Articles 5 and 13 of the GDPR  

Faced with the company’s generic and unconvincing response, the people affected decided to file a complaint with the AEPD, which studied the case. It is here that we must bear in mind that article 5.1.c) of the General Data Protection Regulation (GDPR) establishes that “personal data shall be processed in a way that is adequate, relevant and limited to what is strictly necessary in relation to the purposes for which they are processed; in other words, in such a way that, if the objective pursued can be achieved without excessive processing, it must be so”.  

The Agency, in its decision, understood that “not all the data are necessary either to provide the service of renting holiday flats, or to comply with the obligation to register the persons staying in the accommodation establishments, or for registration and communication to the Directorate General of Police”. Therefore, a violation of Article 5 RGPD was committed, by processing data that was not necessary, typified in Article 72 LOPDGDD as a very serious data processing offence.   

On the other hand, the agency also highlighted that Article 13 RGPD was violated, which reads as follows: “where personal data are obtained from a data subject, the controller shall, at the time the data are obtained, provide the data subject with his or her full identity and contact details; the purposes for which the data are intended and the legal basis for processing; whether there are recipients or the data are disclosed to third parties (and to which, if any); as well as the controller’s intention to transfer to a third country or international organisation and the existence or absence of an adequacy decision of the European Commission”.  

Thus, the Agency imposed a fine of €25,000 for excessive and unnecessary use of personal data (Article 5.1.c GDPR), and a fine of €50,000 for failure to inform in a clear and transparent manner about the purposes of the processing, communication to third countries or international organisations, etc. (Article 13 GDPR). 

Lastly, it should be added that, when identifying the data controller, it was revealed that the company in charge of the check-in is located in the United Arab Emirates. However, despite being outside the European Union, the AEPD has jurisdiction in the case since the offer of goods is directed towards EU consumers and services provided in the same territory.  

And this is not an isolated news that serves as an example. So far this summer, several fines have already been imposed for breaching data protection obligations, such as the $20 million fine imposed on Microsoft for illegally collecting data from minors; or the AEPD’s sanction against Quality Provider for obstructing the deletion of a user’s personal data.

It is very important to always bear in mind the importance of personal data. Both at the individual level, knowing its use and only sharing the necessary and always justified, as well as on the part of companies, which face large fines and other problems if the management of this data is not correct, and if their policy is not updated and adapted to regulatory changes. 

Artcile by Imma Martí.

MEMBERS OF