Madrid Parking Fined €150,000 for Denying Security Footage Access

The Spanish Data Protection Agency sanctions a parking facility for refusing to provide security footage to a client whose car was damaged.

Blurred security camera footage of a parking lot showing a damaged car.
IA

Blurred security camera footage of a parking lot showing a damaged car.

The Spanish Data Protection Agency (AEPD) has imposed a fine of 150,000 euros on a Madrid parking facility for denying a client access to security footage after their vehicle sustained significant damage.

In February 2024, the affected individual requested surveillance video recordings to identify the party responsible for the damage to their car, which had been parked for several days in the private facility. They suggested blurring third-party faces or providing only the license plate of the responsible vehicle, and explicitly asked that the images not be deleted.
The company managing the premises initially rejected the request, stating they would only comply after a police report was filed. Later, they claimed the images had already expired and that fulfilling the request would be disproportionate, involving the review of 192 hours of footage from 16 cameras.

"We do not provide recordings except to the police or a judge, and in any case, the images have already expired."

a spokesperson for the parking company
The AEPD dismissed the company's explanations, reminding them that the General Data Protection Regulation requires responding to rights requests within a maximum of one month, extendable for complex cases. The Agency found that the company failed to meet this deadline, leading to the deletion of the footage.
The Agency's resolution also noted that the presence of third-party data does not justify automatic denial of access; as the data controller, the company should have extracted only necessary data or applied facial blurring.
Consequently, the Agency has fined the company two penalties of 75,000 euros each for violating the right of access and the right to restriction of processing under the General Data Protection Regulation. However, following the company's acknowledgment of wrongdoing and voluntary payment, the total fine has been reduced to 90,000 euros.