The AEPD highlights the importance of transparency in the processing of personal data obtained from third parties
Contacts
Partner
España
Soy socio y dirijo el departamento de Commercial y Privacy & Data Protection de Bird & Bird en la oficina de Madrid.
Associate
España
Soy asociada del departamento de Commercial y Privacidad y Protección de Datos en la oficina de Madrid.
Senior Associate
España
Soy asociada del departamento de Commercial y Privacidad y Protección de Datos en la oficina de Madrid.
Related
Practices
Regions
Countries
Offices
In December 2022, the Spanish Data Protection Agency (AEPD) initiated sanctioning proceedings against a company in the products sector following a complaint related to the processing and publication of personal data of self-employed workers.
The data, originally collected by the State Tax Administration Agency (AEAT) for administrative purposes within the economic activity census, was later used by the sanctioned company for marketing campaigns and commercial reports, without a valid legal basis or prior adequate information provided to the data subjects.
This conduct was sanctioned by the RGPD with a fine of €900,000 for violating Article 14 of the GDPR (duty to inform) and another €900,000 for violating Article 6 of the GDPR (legal basis).
In line with this stance, the AEPD has issued resolutions against other companies in the infomediary sector, requiring them to cease processing data of self-employed workers until they have a valid legal basis to justify it, as well as to delete all information related to self-employed individuals from their databases.
Lack of information for data subjects
Article 14 of the GDPR establishes the obligation to inform data subjects when data is not obtained directly from them, ensuring transparency and awareness regarding the processing and its purposes.
However, the article itself provides an exception to this obligation when providing the information is impossible or would involve a disproportionate effort. In such cases, the data controller must adopt appropriate measures to protect the rights, freedoms, and legitimate interests of the affected individuals.
In the case under review, the AEPD considers that the sanctioned company’s publication on its website does not constitute a sufficient mechanism to properly fulfil the duty to inform. Furthermore, the Agency warns that the exception based on “disproportionate effort” cannot be interpreted broadly or applied automatically; it requires an individualized assessment. This assessment must consider factors such as the number of affected individuals, the age of the data, and the safeguards implemented to protect the rights of the data subjects.
According to the Agency, the sanctioned company did not demonstrate having conducted this analysis, merely citing the large volume of records processed as the sole argument to justify the application of the exception.
This lack of information directly violates the fundamental right to transparency and hinders the effective exercise of privacy rights established in Articles 15 to 22 of the GDPR.
Lack of valid legal basis
The lawfulness of personal data processing always requires a clear legal basis, in accordance with Article 6 of the GDPR. The sanctioned company claimed legitimate interest to justify the processing, but the AEPD determined that:
- This legitimate interest was not shown to override the fundamental rights and freedoms of the self-employed individuals.
- The commercial purpose was not clearly compatible with the original purpose of collecting the data for administrative reasons.
- The lack of information for data subjects exacerbates the absence of a valid legal basis.
Purpose compatibility and the principle of data minimization
Additionally, the resolution questions whether the reuse of data for commercial reports complies with the purpose limitation principle (Art. 5.1.b GDPR) and the data minimization principle (Art. 5.1.c GDPR), since:
- Compatibility between the original and new purposes was not sufficiently justified.
- The volume of data used may exceed what is strictly necessary for the commercial purpose.
Reflection on the criteria applied by the AEPD
The AEPD adopts a rigorous approach that emphasizes two fundamental pillars of the GDPR: the obligation of transparency and the need for a valid legal basis for any personal data processing.
The strict interpretation of Article 14 reaffirms that transparency is not merely a formal requirement, but an essential guarantee for data subjects to control the fate of their data —especially in cases of indirect data collection, a crucial aspect that has not always received adequate attention in the business
environment.
On the other hand, the strict requirements regarding Article 6 demonstrate that legitimate interest cannot be a “wild card” to legitimize processing that violates fundamental rights or lacks proper prior information.
This resolution sends a clear message to all entities handling personal data obtained from third parties: possessing the data is not enough — it is essential to inform the data subject clearly and in advance, thereby ensuring their effective control over their personal information.
