Spanish ES fines the Eurocollege Oxford English Institute SL for GDPR infringements

12 January 2024

Background information

  • Date of final decision: 06/10/2023
  • Cross-border case or national case: national case
  • Legal Reference(s): Article 5 (Principles relating to processing of personal data), Article 6 (Lawfulness of processing),  Article 9 (Processing of special categories of personal data)
  • Decision: Administrative fine
  • Key words: Administrative fine, Health records, Data minimisation, Criminal convictions and offences


Summary of the Decision


Origin of the case  

The case initiated following a complaint against the CENTRO DE ESTUDIOS AERONÁUTICOS, SL for the request of mandatory personal data to be able to access the training of cabin crew. Among the requested data are the COVID certificate, a criminal certificate and certain data such as address, people with whom you live or bank account number.


Key Findings 

The entity CENTRO DE ESTUDIOS AERONÁUTICOS, SL, was absorbed by EUROCOLLEGE OXFORD ENGLISH INSTITUTE SL. Therefore, the proceedings were filed against the latter.

In order to obtain the professional qualification of Passenger Cabin Crew (PCC) it is necessary to complete an initial training course given by the entities authorised by the European Aviation Safety Agency (EASA). The claimant entered into a contract with the complainant for this initial training course. As part of the terms and conditions of the contract, it was mandatory to provide medical certificate of Class CC (Cabin Crew) to be admitted to the course, as well as to respond to other health related questions, and to provide information related to their personal life (parents, housing, current job information) and a criminal record certificate.

The following infringements were identified:

  • Art. 9.2 GDPR for requesting health data and COVID certificate when there is no exception lifting the ban to process special categories of personal data
  • Art. 6.1 GDPR for unlawfully requesting health data 
  • Art. 6.1 GDPR in relation to Article 10 GDPR and Article 10 of the LOPDGDD (national data protection law) for unlawfully requesting a criminal certificate 
  • Art. 5.1.c) GDPR for requesting excessive data 


The Spanish SA imposed the following fines: 

  • For the infringement of art. 9.2 GDPR, EUR 50,000
  • For the infringement of art. 6.1 GDPR in relation to the health data, EUR 10,000
  • For the infringement of art. 6.1 GDPR in relation to the criminal certificate, EUR 25,000 
  • For the infringement of art. 5.1.c) GDPR, EUR 5,000

The controller proceeded to the voluntary payment of the fines, terminating the proceedings according to Spanish national procedural law with a 20% reduction, and a total fine of EUR 72,000.

For further information: decision in national language


The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.