The Spanish Data Protection Authority (“Agencia Espanola Proteccion Datos – AEPD”) has recently issued its highest fine to date, totaling €8.15 million for several breaches of GDPR and national legislation by a multinational telecommunication company and its service providers. Notably, €2 million of this fine was attributable to its service provider conducting an international transfer of personal data to a country that did not comply with the European data protection requirements.

Following the Schrems II ruling, European supervisory authorities are increasing their scrutiny of the safeguards and controls being adopted by organisations when conducting international transfers and processing of personal data. This case demonstrates that organisations that transfer and use significant amounts of personal data in the context of operations that are heavily outsourced or reliant on chains of counterparties in different countries may be particularly at risk of future enforcement action.

Continue reading.