A Spanish company has received a GDPR fine of 9,000 Euros for posting an employee’s photo on its own company website, Facebook and Instagram without his permission. The employee asked his employer to remove the image, but he refused. The company claimed it had been granted permission, even though it could not prove it. The employee stated that permission had not been given and thought that the photo would only be used within the company. The employee then filed a complaint with the Spanish privacy regulator AEPD. He asked the company for clarification, but received no response. The AEPD stated that the company violated the GDPR on two counts. Firstly, no permission was received for the processing of the personal data. In addition, the company had not complied with the employee’s request to delete the data. For the two violations, the AEPD decided to impose a total fine of 9,000 Euros.