Data Privacy

Home Office FOI Migrant Stats Upheld - ICO Decision

The ICO has upheld a complaint against the Home Office regarding a Freedom of Information request for daily statistics on small boat irregular migrant arrivals, broken down by specified categories and dates. The Home Office had refused to provide information for part 1 of the request under section 40(2) FOIA exemption for personal data, but the ICO found this exemption was not correctly applied. The decision requires the Home Office to disclose all withheld information in its entirety within 30 calendar days of the decision notice.

DHSC FOI Request on NHS Federated Data Platform Contract Exempt Under s35(1)(a)

The Information Commissioner's Office issued a decision notice on 17 March 2026 finding that a Freedom of Information request from the Department of Health & Social Care regarding the NHS Federated Data Platform contract with Palantir Technologies Ltd is exempt from disclosure. The exemption under section 35(1)(a) of FOIA covers the formulation or development of government policy. The Commissioner determined no further steps are required from either party.

DAERA Decision - EIR Complaint - Re-Gen Waste Management Site Inspection Information

The Information Commissioner has issued a decision on a Freedom of Information and Data Protection complaint against the Department of Agriculture, Environment and Rural Affairs (DAERA) regarding inspection information for waste sites or facilities, specifically relating to Re-Gen Waste Management. The Commissioner upheld DAERA's refusal of withheld information under regulation 12(5)(e) (confidentiality of commercial information) and found no breach regarding item 5 of the request. However, the Commissioner upheld the complaint under regulation 11(4) as DAERA failed to provide the outcome of its internal review within the required 40 working days. No further steps are required.

MoJ FOI Decision Notice - Information Not Held

A complainant requested information from the Ministry of Justice about the release of individuals under the Early Release Scheme to a particular area of Middlesbrough. The MoJ argued that the requested information was not held for the purposes of FOIA because it did not currently exist in recorded form and could not be retrieved without creating new information. The ICO Commissioner determined that the MoJ was entitled to refuse the request on the basis that the information is not held by it for the purposes of FOIA.

University for the Creative Arts FOI Decision Notice Upholds Three FOIA Breaches

The Information Commissioner's Office has issued a decision finding that the University for the Creative Arts (UCA) breached three sections of the Freedom of Information Act 2000. UCA failed to respond to a data protection handling and governance FOI request within the statutory 20-working-day period, and failed to issue a valid refusal notice applying section 40(1) within that timeframe. The Commissioner upheld complaints under sections 1(1), 10(1), and 17(1) of FOIA, but determined that no further steps are required from UCA beyond the recorded findings.

GDPR Data Access Rights Resolution — VIMCORSA Municipal Housing

The AEPD issued a final resolution finding VIMCORSA (Viviendas Municipales de Córdoba, S.A.) in violation of GDPR Article 15 for inadequate response to a data subject access request. The controller provided only basic personal data (name, national ID, address, email, bank account) while denying access to technical repair records and failing to address the request for communications. The resolution orders VIMCORSA to fully respond to the access request and comply with GDPR requirements. The AEPD applied EDPB Guidelines 01/2022 in assessing the scope of the right of access, distinguishing personal data from technical documents.

AEPD Sanctions Controller for Failure to Respond to GDPR Right of Access Request

The AEPD issued a resolution (Expediente EXP202515553) finding that a data controller failed to respond to a data subject's Right of Access request under Article 15 GDPR and Article 13 LOPDGDD. The controller also failed to respond to the DPA's preliminary inquiry under Article 65.4 LOPDGDD and did not participate in the hearing procedure despite being given ten working days to submit allegations. The AEPD, exercising its corrective powers under Article 58.2 GDPR, ordered the controller to comply with the access request and addressed the violation as a failure to meet GDPR data subject rights obligations.

AEPD Resolves GDPR Rights Complaint Against Dirección General de la Policía

The Agencia Española de Protección de Datos (AEPD) issued a final resolution in case EXP202515145 finding that the Dirección General de la Policía failed to fully respond to a GDPR rights request. The claimant exercised rights of access and suppression on 26 May 2025 seeking information about biometric data (DNA, fingerprints, photographs), including the purpose of processing and recipients. The respondent partially replied on 20 August 2025 stating total cancellation of personal data and police records, but did not address all questions raised. The AEPD determined the response was incomplete and the respondent's allegations during the hearing did not adequately justify the non-compliance.

AEPD Closes Fingerprint Time-Tracking Investigation Against Valladolid City Council

The AEPD closed its investigation (EXP202413411) into AYUNTAMIENTO DE VALLADOLID's use of biometric fingerprint-based employee time-tracking after the council voluntarily eliminated the system on September 2, 2024. The council had operated the fingerprint system since 2009 but moved to remove it following publication of the AEPD's Guide on biometric control treatments. No penalty was imposed as the authority found the issue had been remedied prior to formal findings.

Opinion 7/2026 on BCD Travel Group Controller Binding Corporate Rules

The European Data Protection Board issued Opinion 7/2026 regarding the Dutch Supervisory Authority's draft decision on the Controller Binding Corporate Rules (BCR-C) of the BCD Travel Group. BCRs enable multinational corporate groups to transfer personal data lawfully within the group to countries outside the EEA that do not have an adequacy decision. The opinion addresses the adequacy of the BCD Travel Group's BCR-C application submitted to the Dutch authority under Article 64 of the GDPR. Supervisory authorities in other EEA Member States have four months to raise objections to the Dutch authority's draft decision, or it will be deemed adopted.

EDPB Opinion 8/2026 on Dutch Authority's IBM Group Controller BCR Draft Decision

The European Data Protection Board issued Opinion 8/2026 regarding the Dutch Supervisory Authority's draft decision on the Controller Binding Corporate Rules of the IBM Group. The opinion addresses consistency under Article 64 GDPR for multinational data transfers. The EDPB's opinion covers Binding Corporate Rules and International Transfers of Data as the key topics.

IDPC Decision on Incomplete Personal Data Copy Complaint

The Information and Data Protection Commissioner in Malta investigated complaint CDP/COMP/818/2024 filed on 25 November 2024, alleging that a gambling company (now operating under new ownership) provided an incomplete copy of personal data when responding to a subject access request under Article 15 GDPR. The controller argued it fulfilled its obligations by providing a Personal Data Report including transaction data from the past 12 months, citing Section 6d(3) of the German Interstate Treaty on Gambling 2021 (ISTG 2021) and claiming that national gambling law takes precedence over GDPR under the lex specialis principle. The controller failed to respond to multiple requests for submissions, prompting the Commissioner to invoke investigative powers under Article 58(1)(e) GDPR via registered letter on 13 March 2025.

NDPC and NBS Forge Strategic Alliance to Secure Nigeria's Official Socioeconomic Data

The Nigeria Data Protection Commission (NDPC) led by Dr. Vincent Olatunji met with the National Bureau of Statistics (NBS) led by Prince Adeyemi Adeniran on March 16, 2026 to establish a strategic partnership. The NDPC offered free Data Protection Officer (DPO) certification for NBS staff, complimentary Virtual Privacy Academy vouchers, and free induction training. A Memorandum of Understanding will be signed and a joint working group established to strengthen NBS compliance with the Nigeria Data Protection Act across all federal states.

NDPC and Trade Ministry Partner to Boost Global Competitiveness

The Nigeria Data Protection Commission (NDPC) and the Honourable Minister of Industry, Trade and Investment, Dr Jumoke Oduwole, met on March 12, 2026, to discuss a strategic partnership on data protection. NDPC National Commissioner Dr Vincent Olatunji offered free induction training and Virtual Privacy Academy (VPA) vouchers to Ministry staff to support compliance with the Nigeria Data Protection Act, 2023. Both parties acknowledged that data protection is essential to attracting foreign direct investment and improving the global competitiveness of Nigerian businesses under the Renewed Hope Agenda.

NDPC Urges Sports Betting Operators to Secure Massive User Data

The Nigeria Data Protection Commission (NDPC), led by National Commissioner Dr Vincent Olatunji, addressed the Association of Nigerian Bookmakers (ANB) at a workshop on March 12, 2026, emphasizing the critical importance of data security for the gaming sector. The NDPC highlighted that no fewer than 60 million Nigerians use ANB member platforms monthly, making the sector a data controller of major importance due to the data-intensive nature of gaming operations including customer onboarding, identity verification, payment processing, and marketing communications. The engagement forms part of NDPC's strategic sector-by-sector approach to encourage compliance with the Nigeria Data Protection Act (NDP Act), 2023, and to ensure adequate protection of customer rights.

Cardone Law Firm Data Security Incident Notification

Cardone Law Firm discovered suspicious computer system activity on August 25, 2025, and through investigation determined that files containing personal information (name and additional redacted data) were obtained by an unauthorized party. The firm engaged cybersecurity professionals, contained the incident, and is notifying affected individuals. No evidence of misuse for fraud or identity theft was identified. The firm is offering complimentary Epiq Privacy Solutions ID credit monitoring for 24 months, with enrollment deadline of May 31, 2026.

ICO AI Consultation Outcomes and Updated Data Protection Policy

The UK's Information Commissioner's Office (ICO) has published the outcomes of its generative AI consultation series and updated its data protection policy positions. The consultation ran from January to September 2024, focusing on data protection aspects of generative AI.

ICO AI Working Groups and G7 Statements

The ICO describes its participation in multiple AI-focused collaborative forums including an informal working group for UK regulators on AI issues, a Scottish AI Regulatory Working Group with the Equality and Human Rights Commission, and the G7 data protection and privacy regulators roundtable. The ICO also participates in the Berlin Group (International Working Group on Data Protection in Technology), which published a Working Paper on Large Language Models in 2024. The ICO launched its first Enterprise Data Strategy in 2024 as part of its AI transformation programme.

EDPB 2026 Coordinated Enforcement Action on Transparency

The EDPB has launched its 2026 Coordinated Enforcement Action (CEF) on transparency and information obligations under the GDPR, with 25 European Data Protection Authorities participating in coordinated investigations and fact-finding exercises. Participating DPAs will share and discuss findings in the second half of 2026, after which a consolidated report will be submitted for adoption by the EDPB to enable targeted follow-ups at both national and EU levels. The Hellenic DPA will specifically address controllers belonging to large public sector organizations in Greece.

Seventh AI Board Meeting Reviews AI Strategy and Act Implementation

The European Commission's AI Board held its seventh meeting on 20 March 2026 under the Cypriot Presidency to review progress on the AI Continent Action Plan and AI Act implementation. The Commission presented the first-year successes of the AI Continent Action Plan and the next steps for aligning national AI strategies. Working Group Chairs and Vice-Chairs presented the second draft of the Code of Practice on labelling and marking AI-generated content, incorporating feedback from hundreds of industry, academic, and civil society participants. The Cyprus Council Presidency also provided an update on the Digital Omnibus on AI negotiations, highlighting the Council's mandate achievement on 13 March 2026.

US Senate Hearing Explores Section 230 Reforms

The U.S. Senate Committee on Commerce, Science and Transportation held a hearing on March 18, 2026 to mark Section 230's 30th anniversary and examine whether its broad liability protections for online platforms remain appropriate in the age of generative AI. Legal scholars, civil liberties advocates, and victims' attorneys testified, with bipartisan sentiment emerging that some reform — potentially a duty-of-care standard or conditional protections — may be warranted. Several proposals were floated, including conditioning Section 230 protections on platforms' compliance with interoperability, privacy, and transparency requirements, and ensuring AI-generated outputs are not granted the same liability shields as third-party user content.

White House AI Policy Recommendations Emphasize Children's Online Safety, Preemption

The White House issued AI policy recommendations on March 20, 2026, covering children's online safety, intellectual property, AI literacy, and state AI law preemption. The framework calls for existing child privacy protections to apply to AI systems, including limits on data collection for model training and targeted advertising. It also proposes that states be prohibited from regulating AI development and recommends regulatory sandboxes instead of a standalone AI regulatory body. The recommendations were mandated by a December 2025 executive order and were developed with Sen. Marsha Blackburn's input.

Marquis Software Solutions Data Breach Notice to Consumers

The Vermont Attorney General's Office posted a data breach notice from Marquis Software Solutions on March 16, 2026, notifying consumers of a security incident. The full details of the breach — including the types of information involved, the number of affected individuals, and the company's response actions — are contained in the attached PDF. Consumers in Vermont who received this notice should review the specific instructions provided regarding identity protection and any offered monitoring services.

European DPAs Launch 2026 Coordinated Enforcement on GDPR Transparency

The European Data Protection Board (EDPB) has selected information and transparency obligations under the GDPR as the focus of its 2026 Coordinated Enforcement Framework (CEF). Twenty-five European data protection authorities will participate, including the Italian Garante, which will conduct a knowledge survey by sending questionnaires to data controllers across multiple sectors: public administration, insurance and financial services, healthcare, utilities, and marketing. Results from individual authorities will feed into a final EDPB report that may identify further national or European follow-up actions.

EU Regulators Focus on Cross-Regulatory Cooperation for Digital Laws

The IAPP reported on the European Data Protection Board's 17 March 2026 workshop on cross-regulatory interplay and cooperation, where EDPB Chair Anu Talus opened by stating the digital economy does not operate in silos and that regulators must focus on shared interpretation through consistency. The EDPB announced it is developing joint guidance with the European Commission on GDPR and AI Act interactions and on GDPR and Digital Markets Act interplay, with the latter expected before year-end, while another joint project on data protection and competition will open for public consultation soon.

China PIPL Compliance Audit Guidance and Enforcement Trends

China's Personal Information Protection Law has long required organizations to periodically audit personal information processing for legal compliance. What is evolving most quickly is not the existence of duty, but what regulators and stakeholders increasingly expect the audit to look like in practice: regularity, a credible methodology and, above all, verifiability. Put simply, it is no longer enough to say you have policies and controls. Organizations are increasingly expected to demonstrate a defensible scope, an evidence trail and a remediation plan. A recent regulatory development involving minors' personal information offers a useful signal: regulators have tied audit obligations to a repeatable annual cycle, with reporting typically occurring each January.

Senator Blackburn Proposes AI Framework for Child Safety and Copyright

Senator Marsha Blackburn, R-Tenn., released a discussion draft on March 18, 2026, proposing a national AI policy framework to preempt state-level AI legislation while addressing children's online safety and copyright protections. The draft combines provisions from the Kids Online Safety Act (KOSA) and the NO FAKES Act, requiring AI chatbot age verification for users under 18, developer duty-of-care standards, NIST-led watermarking standards, and third-party bias audits. A private right of action for child harms caused by AI systems is included alongside a proposal to sunset Section 230 platform liability protections.

Report on Stakeholder Event on Anonymisation and Pseudonymisation

The EDPB published a report summarizing its stakeholder event on anonymisation and pseudonymisation held on 12 December 2025. The event brought together stakeholders to discuss practical applications and challenges related to these data protection techniques under the GDPR framework. The report (210.1KB PDF) is available for download from the EDPB website alongside related publications on the anonymisation topic page.

EDPB-EDPS Joint Opinion on Cybersecurity Act 2 and NIS 2 Directive Amendments

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have issued Joint Opinion 4/2026 on the Proposal for a Cybersecurity Act 2 and the Proposal amending the NIS 2 Directive. Published on 19 March 2026, this joint opinion establishes a unified position from both data protection supervisory authorities on the proposed legislative changes affecting cybersecurity requirements across the EU. The opinion addresses the intersection of enhanced cybersecurity obligations under the revised NIS 2 Directive and data protection requirements under the GDPR, with particular focus on incident notification and personal data breach reporting obligations.

AEPD Resolves GDPR Right to Erasure Claim Against UPTA-CLM

The AEPD resolved a GDPR right-to-erasure complaint (EXP202515130) filed by A.A.A. against UNION DE PROFESIONALES Y TRABAJADORES AUTONOMOS DE CASTILLA-LA MANCHA (UPTA-CLM, NIF G45461845), finding that the entity failed to properly respond to the data subject's erasure requests submitted in May and June 2025. The investigation confirmed that the designated DPO contact email (dpd@amtas.es) was non-functional, preventing legitimate exercise of data subject rights, and that UPTA-CLM's subsequent explanations were insufficient to demonstrate compliance with Article 17 GDPR.

EDPB Announces 2026 CEF Transparency Measure Under GDPR

The European Data Protection Board (EDPB) announced on 19 March 2026 its Coordinated Enforcement Framework (CEF) measure for 2026, focused on transparency and information obligations under the GDPR. The Austrian Data Protection Authority (DSB) will participate in this coordinated action, with further details to be published at a later date. This continues the EDPB's annual coordinated enforcement programme targeting consistent GDPR application across EU member states.

Digital Europe Work Programme 2025-2027 Amended for EU Digital Priorities

The Digital Europe Work Programme 2025-2027 has been amended to keep pace with Europe's digital priorities. New actions include digital infrastructure for schools, an online safety application supporting the EU Action plan against cyberbullying, Safer Internet Centres, European Digital Infrastructure Consortia, Testing and Experimentation Facilities for AI, and the European Electronic Health Record Exchange Format aligned with the European Democracy Shield. The amendment follows a first DIGITAL amendment adopted in October 2025.

EDPB Launches 2026 Coordinated Enforcement Action on GDPR Transparency Obligations

The European Data Protection Board has launched its 2026 Coordinated Enforcement Framework (CEF) action, targeting compliance with transparency and information obligations under Articles 12, 13, and 14 of the GDPR. Twenty-five national Data Protection Authorities across Europe will participate, contacting data controllers through enforcement actions or fact-finding exercises during 2026. Findings will be shared in the second half of the year, aggregated into a consolidated report for EDPB adoption, enabling targeted follow-ups at both national and EU levels.

Hingham Municipal Light Plant Data Breach Notification

Hingham Municipal Lighting Plant, a municipal utility in Massachusetts, notified affected individuals that it identified and addressed a data incident involving their name, Social Security number, and driver's license number. The utility is providing two years of complimentary access to Epiq Privacy ID Solutions, which includes three-bureau credit monitoring, dark web monitoring, SSN monitoring, and up to $1,000,000 in identity theft insurance. The notification also advises affected individuals to place fraud alerts, review account statements, and contact the FTC or law enforcement if they believe they are victims of identity theft.

TriZetto Provider Solutions Data Breach Notification Letter

TriZetto Provider Solutions has issued a data breach notification to Massachusetts residents whose personal information may have been compromised. The company is offering identity monitoring services to affected individuals, with enrollment instructions and toll-free contact information provided. The letter advises recipients to monitor account statements and credit reports and to report any suspicious activity to financial institutions.

TriZetto Provider Solutions Data Breach Notification Letter

TriZetto Provider Solutions (TPS) filed a data breach notification with Massachusetts disclosing unauthorized access to its systems beginning in November 2024. The breach involved a web portal used by healthcare provider customers for insurance eligibility verification transactions, potentially exposing names, addresses, dates of birth, health insurance member numbers, provider names, health insurer names, and demographic and health information. Social Security numbers may have been involved for some individuals. TPS discovered the incident on October 2, 2025, engaged cybersecurity experts, notified law enforcement, and began notifying affected providers on December 9, 2025. Free credit monitoring through Kroll is being offered to affected individuals.

GDPR Article 25: Data Protection by Design and Default Factors in 2026

IAPP published an analysis on March 18, 2026, examining the practical implementation of GDPR Article 25 (Data Protection by Design and Default) nearly a decade after the regulation's adoption. The article identifies four assessment factors—state of the art, cost of implementation, processing context and purposes, and risks to rights and freedoms—that controllers should collectively consider to determine whether technical and organizational measures are appropriate. The analysis notes that AI regulation trends in 2026 require organizations to conduct structured risk assessments, document AI system principles, track training data, and implement control mechanisms when AI systems are involved in decisions affecting individuals.

Stakeholders Discuss AI Standards, Regulations, and Enforcement at Global Summit

Stakeholders at the AI Standards Hub Global Summit 2026 discussed the interplay between AI technical standards, regulatory frameworks like the EU AI Act, and enforcement efforts. The OECD's Sara Rendtorff-Smith emphasized that organizational and industry standards serve as the 'quiet infrastructure of innovation' enabling safe AI scaling, while warning that a fragmented global enforcement landscape creates compliance costs and cross-border deployment barriers. U.S. organizations rely on NIST's AI Risk Management Framework and AI Agent Standards Initiative amid a patchwork of state laws with no federal AI law, in contrast to the EU's centralized AI Act approach. The OECD AI Policy Observatory tracks over 2,000 AI policies across more than 80 jurisdictions, and speakers highlighted the need for consistent methods to measure AI system performance.

Rotherham Council Failed FOI Request Response Time

The ICO has issued a Decision Notice finding that Rotherham Metropolitan Borough Council failed to respond to a Freedom of Information request within the statutory 20 working days required under FOIA. The authority must now provide the complainant with a substantive response to the request within 30 calendar days of the decision date. This enforcement action reinforces the binding nature of FOI response timeframes for public authorities.

Guy's and St Thomas' NHS Foundation Trust - FOI Breach Decision

The ICO found that Guy's and St Thomas' NHS Foundation Trust breached section 10 of FOIA by failing to respond to an information request within 20 working days. The Commissioner ordered the Trust to provide a substantive response to the complainant's request in accordance with its statutory obligations under the Freedom of Information Act 2000.

Royal Borough of Kensington and Chelsea FOI Breach Upheld

The ICO issued a decision notice on 13 March 2026 finding that the Royal Borough of Kensington and Chelsea failed to respond to a Freedom of Information Act (FOIA) request within the statutory 20 working day timeframe. The complaint concerned a request for information about bathing or showering facilities at Apollo House, Cremorne Estate, London. The ICO upheld the complaint and requires the public authority to issue a substantive response under FOIA to remedy the breach of Section 10.

ICO Orders Westmorland and Furness Council to Issue Fresh FOI Response

The Information Commissioner's Office (ICO) has upheld a complaint against Westmorland and Furness Council regarding a Freedom of Information request for an external consultant report on Appleby Horse Fair. The ICO determined that the Council was not entitled to refuse the request under section 14(1) of FOIA (vexatious requests exemption). The Council is required to issue the complainant with a fresh response that does not rely on section 14(1) within 30 calendar days. Failure to comply may result in the Commissioner certifying the fact to the High Court pursuant to section 54 of the Act, which may be dealt with as contempt of court.

St. Werburgh's C. E. Primary School FOI Complaint Upheld

The ICO issued a Decision Notice on 12 March 2026 finding that St. Werburgh's C. E. Primary School failed to respond to a Freedom of Information request within the statutory 20 working day timeframe specified under FOIA. The public authority has been found in breach of its FOIA obligations. The Commissioner requires the school to provide the complainant with a response to their information request within 30 calendar days in accordance with its statutory obligations.

ICO Decision Notice: East Riding of Yorkshire Council FOI Section 31 Exemption Upheld

The ICO has issued a Decision Notice in case IC-393971-B4K5 concerning East Riding of Yorkshire Council's refusal to disclose total parking machine collections at Bridlington Park and Ride during 5-12 April 2025. The council relied on section 31(1)(a) of the Freedom of Information Act (law enforcement exemption) to withhold the requested information. The Commissioner has determined that the council correctly applied section 31(1)(a) and that the public interest favours maintaining the exemption. No further steps are required as a result of this notice.

Home Office ordered to reply to FOI request

The ICO has ordered the Home Office to respond to a Freedom of Information (FOI) request that was not answered within the statutory 20-day period. The Home Office must now provide a response to the complainant within 30 calendar days.

ICO Decision Notice: House of Commons FOI Complaint

The Information Commissioner's Office has issued a decision notice in response to a Freedom of Information complaint against the House of Commons, dated 13 March 2026. The Commissioner found that the House of Commons correctly relied on section 40(2) of FOIA (third party personal information) to withhold information about role upgrades. No further regulatory steps are required. The complainant may pursue appeal through the First-tier Tribunal (General Regulatory Chamber).

Sheffield City Council EIR Breach - Montague Street Closure Request Upheld

The ICO has upheld a complaint against Sheffield City Council under Regulation 5(2) of the Environmental Information Regulations. The council failed to provide a substantive response to a request for information regarding the closure of Montague Street, Sheffield within the statutory 20 working day timeframe. The Commissioner has ordered the council to provide the complainant with a compliant response in accordance with its EIR obligations. The decision was issued on 13 March 2026.

Cabinet Office FOI Refusal Upheld Under Section 35(3)

The ICO has issued a Decision Notice upholding the Cabinet Office's refusal to confirm or deny whether it holds National Security Council records related to the potential proscription of Palestine Action. The Cabinet Office relied on section 35(3) of the Freedom of Information Act via section 35(1)(b) (Ministerial communications) to issue a neither-confirm-nor-deny response. The ICO determined the exemption was correctly applied, meaning no further information about the existence of such records will be disclosed through FOI.

AEPD Fines Real Estate Company €4M for Failure to Respond to Data Protection Information Request

The AEPD imposed a €4,000,000 administrative fine on SERVICIOS INMOBILIARIOS Y GESTIÓN RCL-MADRID, S.L. (NIF B87801262) for failure to respond to two formal information requests sent by the Subdirección General de Inspección de Datos in connection with a data subject complaint (expediente EXP202315840). The company, notified on January 28 and February 20, 2025, provided no response. The fine is assessed under Article 83.5.e GDPR, which carries a maximum penalty of €20,000,000 or 4% of global annual turnover, whichever is greater. The company did not submit any representations during the procedure.

AEPD Fines Entity for Failure to Respond to GDPR Right of Access Request

The AEPD issued a resolution in case EXP202520411 finding that a data controller failed to respond to a data subject's exercise of the Right of Access under GDPR Article 15 and LOPDGDD Article 13. Following admission of the complaint on 22 December 2025, the AEPD confirmed the entity did not respond to the original request nor to agency inquiries. The resolution orders the entity to provide the legally required response to the access request.