Other authors      Ellen Hepworth, Trainee Solicitor, London  |  Salome Peters, Legal Intern, Frankfurt 

The Spanish Data Protection Authority ("Agencia Espanola Proteccion Datos – AEPD") has recently issued its highest fine to date, totaling €8.15 million for several breaches of GDPR and national legislation by a multinational telecommunication company and its service providers. Notably, €2 million of this fine was attributable to its service provider conducting an international transfer of personal data to a country that did not comply with the European data protection requirements.

Following the Schrems II ruling, European supervisory authorities are increasing their scrutiny of the safeguards and controls being adopted by organisations when conducting international transfers and processing of personal data. This case demonstrates that organisations that transfer and use significant amounts of personal data in the context of operations that are heavily outsourced or reliant on chains of counterparties in different countries may be particularly at risk of future enforcement action.

Data transfers

Under Article 44 of the GDPR, businesses transferring personal data abroad (i.e. outside of the EEA and UK) must put in place appropriate safeguards unless data protection law in the country the data is being transferred to is classed as offering adequate data protection.

The most commonly used safeguard for transfers to countries not classed as adequate are the Standard Contractual Clauses ("SCCs") which set out the obligations of both the importing and exporting party with regard to the protection of personal data and the enforceable rights of the data subjects against both these parties.

The fines in detail

A €2 million fine was issued for the international transfer of personal data without sufficient protection for customer personal data. In this case, the multinational business relied on an outsourced service provider (i.e. a data processor) to conduct certain database operations with respect to its customers' personal data.  This outsourced service provider used a subcontractor (i.e. a sub-processor) based in Peru without any contractual provisions being put in place to ensure the transfer of personal data to Peru occurred in a manner that complied with the European data protection requirements.

The remainder of the €8.15 million fine consisted of:

  1. €4 million for using service providers that did not implement sufficient measures to comply with the GDPR (such as security measures);
  2. €2 million for these service providers sending marketing communications to customers without their consent (which included marketing communications being sent to those who had previously opted out of or had objected to receiving them); and
  3. €150,000 for using cookies technologies to conduct marketing communications without checking if customers had opted out first.

Conclusion

The AEPD concluded that there was insufficient documentation and an overall lack of control and supervision about how customer data was treated as well as there being a lack of awareness about the documentation the multinational had in place by third parties processing customer data on its behalf.

The AEPD noted that these concerns most likely arose because the majority of operations were outsourced. Similarly placed multinational companies should regularly review the sufficiency of the controls they have in place that relate to their use of data processors and sub-processors in response to this.