Data minimization or sanction

Data minimization

The minimization of personal data is not a new topic, far from it; in fact, it is a principle that has governed data protection since the GDPR came into force and that any company or professional must comply with.

Thus, Article 5.1 c) of the GDPR states that data processing shall be governed by the principle of data minimization and to comply with it, these measures must be applied:

Essential data

Only data that is necessary, relevant and appropriate for the purpose of the processing will be processed.

Time limitation

Data processing will be limited to the period of conservation and accessibility, essential to fulfill the purpose for which the data have been collected; no more and no less.

Limitation of use

The processing of personal data will only be allowed to authorized employees who really need it to fulfill the purpose for which it was collected.

Although it seems simple to apply this guiding principle of data protection processing, it is not always so easy or so clear to apply it in our professional activity. our professional activity.

The first thing we must clearly define is the purpose of the data processing, so that from there, the identification of the data we need to process to achieve that purpose is unequivocal. Crossing this line, which is sometimes very thin, can have consequences that we do not expect: being penalized for asking others to do so!

Incredible, isn’t it, because you thought that more data is always better than no data, right? Well, with personal data it’s the other way around: less is more.

The Spanish Data Protection Agency(AEPD) has just published a resolution in which an online gaming company has been sanctioned for requesting other data from one of its users, without any justification. We tell you about it!

Actual penalties

EUROBOX S.A. is a micro-company dedicated to online gaming, and after suspecting that one of its users could be a professional gambler, it decided to request certain information in order to verify this situation, since, according to the entity itself, this is prohibited by Law 13/2011, of May 27, on the regulation of gaming, as well as by the terms and conditions established in the gaming platform itself, a circumstance that led to the suspension of the user’s account.

In order to lift the suspension, the user was asked for nothing more and nothing less than a registered address, current profession, gross annual salary, whether he plays with his own funds or with funds provided by third parties, and the last paycheck or quarterly statement in the case of being self-employed. As can be seen, this is a lot of information containing personal data, even a profile of this person, a circumstance that should alert us of being the object of fraud, as well as refusing to provide it without a real justification for it.

In the case in question, even though the person was suspicious of such request by EUROBOX, he delivered the information.

The AEPD considers that in its response, EUROBOX S.A. did not sufficiently justify the request to the user of all these data in relation to the purpose of identifying him as a professional player according to his behavior on the web, in addition to the fact that in its web Privacy Policy, never appear listed within the list of data that can be processed by the entity, those corresponding to profession, gross annual salary or the origin of all their income.

Thus, it is identified that EUROBOX S.A. did not comply with the principle of data minimization for the following reasons:

-Requireddata that were neither necessary nor relevant

Thedata requested from the user were not covered by the Privacy Policy.

-The purpose of requesting such data from the user was notclearly identified.

For these reasons, the AEPD identified that articles 5.1 c) and 13 of the RGPD had been violated.

The penalty imposed on EUROBOX S.A. amounted to 10,000 euros.

Other real cases

This resolution is not the only one in which the AEPD has sanctioned for non-compliance with the principle of data minimization. We give you other examples:

PS-00436-2023

Publication of a video on a social network without consent and without taking measures to ensure that the faces of the persons appearing in the video were not recognized.

Penalty of 50,000 euros.

PS-00253-2023

Refund of an amount paid for a dental service, a copy of the ID card is requested, there being other ways to make the refund with the information that the clinic already had because the claimant was a client who had already been using their services for some time.

Penalty of 20,000 euros.

PS-00596-2021

A local police officer takes a photo of a person’s ID card without his consent and without informing him of the use he will make of the data. Sanction.

Warning to the City Council.

Business Adapter® at your service

If you believe that you are not correctly applying the principle of data minimization in your organization, please contact us by email: info@businessadapter.es, you can also call 96 131 88 04, or leave your message in this form:

[su_button url=”https://businessadapter.es/contacto” target=”blank” background=”#f6f903″ color=”#181818″ size=”7″ center=”yes” icon_color=”#000000″]Contact us, we will be pleased to help you.[/su_button]

Contact us, we will be pleased to help you.
error: Content is protected !!