AI-based solution designed to automate personal data discovery and classification
Discover personal data across multiple systems in the cloud or on-premise
Turn data subjects request into an automated workflow with a clear insight into data every step of the way
Collaborate with stakeholders and manage DPIA and LIA in real-time with Assessment Automation
Privacy portal allows customers to communicate their requests and preferences at any time
Introducing end-to end automation of personal data removal

Latest Blog posts

Learn the terms

General Data Protection Regulation

Here you can find the official content of the Regulation (EU) 2016/679 (General Data Protection Regulation) in the current version. All Articles of the GDPR are linked with suitable recitals.

Latest papers

€2,5 million GDPR fine to Spanish supermarket chain Mercadona

€2,5 million GDPR fine to Spanish supermarket chain Mercadona

On July 26, 2021, the Spanish Data Protection Authority (AEPD) issued a €2,520,000 fine to Mercadona, S.A. -one of the leading supermarket and online shopping companies in Spain. The fine was issued for unlawful use of a facial recognition system.

[RELATED TOPIC: Video surveillance under the GDPR]

The AEPD conducted an investigation that uncovered serious violations of the General Data Protection Regulation (GDPR), related to the insufficient legal basis for data processing and unlawful processing of sensitive personal data.

Mercadona was using a facial recognition system in 48 of their locations for several months. The reason behind the installation of such a system was to detect individuals with prior criminal convictions, particularly individuals with restraining orders issued for assaulting an employee or that had been convicted for an incident that previously happened in the store.

Unfortunately, the facial recognition system captured images and processed biometric data of Mercadona’s employees and customers, including children.

The AEPD’s investigation uncovered there were no legal grounds for processing sensitive personal data in accordance with Article 9, and processing did not follow the principles of data minimization, proportionality, or necessity.

The AEPD also found that Mercadona did conduct the data protection impact assessment (DPIA). However, they assessed it as insufficient and incomplete as it did not account for the risks posed to Mercadona employees.

[RELATED TOPIC: What is a Data Protection Impact Assessment (DPIA) and how to conduct it]

Request a Data Privacy Manager demo

Let us navigate you through the Data Privacy Manager solution and showcase functionalities that will help you overcome your compliance challenges.

Scroll to Top