Spanish supermarket fined 20,000 euros after video of customer was shared on social media
The national data protection agency said there was of a lack of security measures in place to ensure the proper processing of data collected by the store's CCTV surveillance system
The Spanish data protection agency (AEPD) has fined a supermarket in Madrid 20,000 euros (it has finally paid 12,000 euros after two reductions) for a violation of current legislation (article 32 of the General Data Protection Regulation), after a video of a customer was shared on social media. "The facts appear to show a clear lack of diligence in ensuring the security in the processing of personal data of its customers and, in particular, of their images," the ruling stated.
The fine was connected to an incident involving a video from the shop's CCTV surveillance system that captured the moment a customer returned some items to the store. It was a 40-second visual file that a cashier showed the customer on a mobile phone and subsequently sent to their personal phone via WhatsApp. It also showed one of the checkout counters and two customers (one of whom was the victim) and another at the entrance to the supermarket.
In its ruling, the AEPD claimed that a lack of security measures was used "consciously" by the supermarket to require the customer to return an allegedly misappropriated amount. In its opinion, the request to return the money was based on images whose authorised access "has not been accredited". Moreover, to reinforce the argument of the erroneous refund, they were sent to the customer using a mobile device.
The AEPD highlighted that the video provided was not the image directly recorded by the security camera, but one that could have been captured by a mobile device and which reproduced the images captured by the camera. "In this sense, some initial movements are perceptible in the video provided - indicative of a certain lack of stability in the device that was capturing the images - as well as the identification of the complainant by means of a cursor that was placed over her image and that could have been used since the original viewing of the images on the corresponding monitor".
Therefore, according to the agency, the recordings from at least this security camera were accessible to employees of the shop who they AEPD argued did not have security roles at the supermarket. Furthermore, the AEPD argued that data protection laws were broken when the video was sent to the customer via WhatsApp.
It also emphasised that the document contained images not only of the complainant, but also of two other customers: "The facts described seem to indicate that the processing of the clients' personal data lacked the technical and organisational security measures prescribed by the General Data Protection Regulation (GDPR).
The court ruled that the measures should have been aimed at preventing unauthorised access to the images captured by the video surveillance system, as well as the subsequent dissemination of the images accessed (dissemination also lacking any security measures as it was sent via a mobile phone).
Although the fine imposed amounted to 20,000 euros, the company benefited from an initial reduction of 20 per cent after acknowledging its responsibility within the time limit given. In addition, it received a further reduction for voluntary payment of the fine, which was finally set at 12,000.00 euros.
