Add Event Staff, S.L., a Spanish event organizing company, was recently warned by the Spanish DPA (AEPD) for violating GDPR and the Spanish Law on Data Protection and Digital Rights Guarantee (LOPDGDD). The decision was made in response to a complaint from a Spanish citizen who had registered for a job fair organized by Add Event Staff, S.L. The citizen stated that the web form required him to give consent not only for participation in the job fair, but also for receiving commercial communications and transferring his data to third parties. When he requested that his consent be used only for participation in the job fair, the defendant refused, stating that the claimant was obligated to receive commercial communications as it was a free event.
Add Event Staff, S.L. claimed that the processing activities were based on the claimant's consent and that he was fully informed about the need to process his data for participation in the job fair, as well as the possibility of receiving commercial communication, which could be unsubscribed from. However, the AEPD initiated a sanction procedure, and the defendant responded by stating that the participation in the event had one single purpose, which was to communicate attendees with the companies for networking objectives, and that the company was in the process of changing its forms to adopt the corresponding measures. The AEPD found that Add Event Staff, S.L. had violated Article 7 of GDPR and Article 6(3) of LOPDGDD by bundling different processing activities and requiring consent for them collectively, rather than obtaining separate consent for each specific activity. The defendant's actions deceived the claimant and violated their right to freely give or withhold consent for each processing activity.