Details:

Summary The Spanish DPA has imposed a fine of EUR 365,000 on CTC EXTERNALIZACIÓN, S.L.. An employee had filed a complaint with the DPA due to the fact that the controller had requested fingerprints of employees in order to implement a new time and attendance system. However, it was not communicated that the fingerprints would also be stored in the staff portal. For this reason, the DPA found that the controller had violated its duty to inform. The DPA also found that the controller was unable to demonstrate sufficient security measures for the processing of fingerprints. Finally, the DPA found that the controller had failed to carry out a required data protection impact assessment.
Link: link
Related articles:  Art. 13 GDPR, Art. 32 GDPR, Art. 35 GDPR
Type: Insufficient fulfilment of information obligations
Fine: EUR 365,000
Sector Employment

 

All data is based on The CMS’s Law GDPR Enforcement Tracker Source: https://www.enforcementtracker.com/

Tags: case law