GSMA Limited: Insufficient legal basis for data processing

The Spanish DPA has imposed a fine of EUR 600,000 on GSMA Limited. In 2022, GSMA Limited required employees of its suppliers to register on an online platform and upload proof of vaccination against COVID-19. One of the data subjects filed a complaint with the DPA as they considered the data processing to be unlawful. GSMA referred to a legal obligation and public interest, but could not provide a specific legal basis. The DPA found that less invasive safeguards would have been possible and that the affected workers were not sufficiently informed about the data processing.

GDPR Articles: Art. 6 (1), Art. 9 (2) GDPR, Art. 14 GDPR
Industry: Individuals and Private Associations