CARTONAJES BAÑERES, S.A.: Insufficient technical and organisational measures to ensure information security

The Spanish DPA imposed a fine of EUR 220,000 on CARTONAJES BAÑERES, S.A. following a complaint filed by a former employee. The employee had submitted a request to the controller for access to their personal data, particularly inquiring about the purpose and categories of data held. However, they did not receive a proper response. The employee also stated that the controller used a biometric facial recognition system that allowed employees to clock in and out, but did not offer an alternative method of recording attendance. During its investigation, the DPA found that the controller had failed to properly comply with the data subject's request for access to their personal data. Furthermore, the DPA found that the controller had failed to carry out a risk assessment of the biometric system, which would have been necessary considering the risks that the processing of biometric data poses to data subjects.

GDPR Articles: Art. 15 GDPR, Art. 35 GDPR
Industry: Employment