Details:
| Summary | The Spanish DPA has imposed a fine on Thomas International Systems, S.A.. Thomas International performs psychological tests on behalf of other companies. Thomas International had conducted such a test on behalf of the company Agroxarxa, S.L.. A participant of such a test had filed a complaint against the controller because they had to provide sensitive personal data (ethnicity, disability). However, Agroxarxa had indicated that the test did not request and process such sensitive data. During its investigation, the DPA found that Thomas International had nevertheless processed sensitive personal data without the consent of the data subject or the processing being necessary for the fulfillment of the contractually agreed purpose between Agroxarxa and Thomas International. The DPA considered this to be a violation of Art. 9 GDPR. The original fine of EUR 50,000 was reduced to EUR 40,000 due to voluntary payment. |
| Link: | link |
| Related articles: | Art. 9 GDPR |
| Type: | Insufficient legal basis for data processing |
| Fine: | EUR 40,000 |
| Sector | Finance, Insurance and Consulting |
All data is based on The CMS’s Law GDPR Enforcement Tracker Source: https://www.enforcementtracker.com/