CARTONAJES BAÑERES, S.A: Insufficient technical and organisational measures to ensure information security

The Spanish DPA has fined CARTONAJES BAÑERES, S.A. EUR 220,000. During its investigation, the DPA found that the controller had failed to grant a former employee access to their personal data. The DPA also found that the controller had failed to carry out a data protection impact assessment regarding the operation of a biometric facial recognition system installed to track working hours.

GDPR Articles: Art. 15 GDPR, Art. 35 GDPR
Industry: Employment