The cosmetics company AVON COSMETICS SAU has been condemned by the Spanish Data Protection Authority (AEPD) to pay 60,000 euros of fine for including the data of a client in a debtors’ list.
The client suffered an identity theft by a person who used his personal data to acquire an AVON product who, in the absence of payment, decided to include the client in a debtors’ list.
The AEPD considers that article 6 of the GDPR has been violated, which establishes the inexcusable obligation for the data controller to have a valid lawful basis for processing.
In this case, the purchase contract is not signed but accepted through an online acceptance log, considering the AEPD that online purchase does not imply consent for the use of personal data by the company.
It is the first time that under the GDPR regime sanctions are imposed for some facts such as those described, creating with this resolution some legal uncertainty regarding the means of proof that online businesses must demand so as not to incur sanctions like this when, for reasons beyond the company, the user’s identity theft occurs.