10 million GDPR fine for illegal data sharing and for hindering the right to erasure
The Spanish Data Protection Agency (AEPD) has imposed a penalty of ten million euros on Google for transferring data to third parties without a legal base to do so and for hindering citizens’ right to erasure. According to the Agency, these contravene Articles 6 and 17 of the European General Data Protection Regulation (GDPR).
AEPD said it found out that Google had passed information that could be used to identify citizens requesting deletion of their personal data under EU law, including their email address; the reasons given; and the URL claimed, to a U.S.-based third party without a valid legal basis for this further processing.
In addition to the financial penalty, the Agency also ordered Google to adjust its procedures for the exercise of the right of erasure in relation to requests for the removal of content from its products and services, and the information it offers to its users, in line with data protection rules.