In February 2024, the affected individual requested surveillance video recordings to identify the party responsible for the damage to their car, which had been parked for several days in the private facility. They suggested blurring third-party faces or providing only the license plate of the responsible vehicle, and explicitly asked that the images not be deleted.
The company managing the premises initially rejected the request, stating they would only comply after a police report was filed. Later, they claimed the images had already expired and that fulfilling the request would be disproportionate, involving the review of 192 hours of footage from 16 cameras.
“"We do not provide recordings except to the police or a judge, and in any case, the images have already expired."
The AEPD dismissed the company's explanations, reminding them that the General Data Protection Regulation requires responding to rights requests within a maximum of one month, extendable for complex cases. The Agency found that the company failed to meet this deadline, leading to the deletion of the footage.
The Agency's resolution also noted that the presence of third-party data does not justify automatic denial of access; as the data controller, the company should have extracted only necessary data or applied facial blurring.
Consequently, the Agency has fined the company two penalties of 75,000 euros each for violating the right of access and the right to restriction of processing under the General Data Protection Regulation. However, following the company's acknowledgment of wrongdoing and voluntary payment, the total fine has been reduced to 90,000 euros.




