Spain: Issued fine against Orange Espagne for breach of the GDPR

On 16 March 2023, the Spanish Data Protection Authority (AEPD) imposed a fine of EUR 100'000 against Orange Espagne, a mobile network operator, for violating the data minimisation principle set out in Article 5(1)(c) of the EU General Data Protection Regulation (GDPR). In particular, the AEPD found that Orange Espagne required drivers of third-party companies to collect photos of the identity cards of clients when making a delivery of their products. The AEPD held that the processing of the photo of the national identity card was unlawful. More specifically, the AEPD found that Orange Espagne breached the GDPR's data minimisation principle, which requires data processing to be proportional and limited to what is necessary in relation to the purpose for which it is processed.