Spanish Data Protection Authority - Data Breach Notification

The Spanish DPA has imposed a €5,000 fine on a real estate agency that obtained personal data from a data subject through a third party without a valid legal basis. Here's the situation: Employees of a real estate agency visited the data subject's home to provide services related to a property owned by their father. The data subject asked the employees how they obtained their and their father's personal data. In response, the employees stated that the agency used a website called Quality Provider for this service.

The data subject filed a complaint with the Spanish DPA, alleging that obtaining their data from a third party and using it for promotional purposes was illegal.

Upon investigation, the controller admitted that its employees had obtained the data subject's name and address from neighbors and used a website called Quality Provider to learn where they lived and provide services.

The Spanish Data Protection Authority initiated an examination, emphasizing the need for a legal basis for any processing of personal data. The authority found that the agency, acting as a controller, had not specified any of the justifications from GDPR Article 6(1) as a legitimizing basis for its actions and, therefore, imposed a €5,000 fine for the violation of GDPR Article 6(1), stressing that access to personal data must be supported by a legal basis.