Crema Games, the company known for developing the video game Temtem, has been fined €5,000 by the Spanish Data Protection Authority (AEPD). Why? For mishandling a user’s request to access their personal data.
In this article, we explain — in simple terms — what happened, what mistakes the company made, and how you can avoid the same issues in your own business if you run a website or work in a digital company.
You can read the full decision here.
It all began when a user contacted Crema Games to exercise their right of access (under Article 15 of the GDPR). The user wanted to know if Crema Games was processing their personal data and, if so, to receive a copy of it, understand what it was being used for, and if it had been shared with others.
The request was made via email. The user included identifiers linked to their game account and later sent a censored version of their ID document, hiding sensitive data such as the photo and ID number.
However, Crema Games replied that this form of ID was not valid and that they required a full copy of the user’s identification document. This was the first red flag: the AEPD considered this demand excessive and not in line with the data minimisation principle.
The AEPD ruled that asking for a full copy of an ID is not necessary if there are already reasonable ways to identify the person. In fact, the law is clear: organisations must only request and process the minimum data needed; no more, no less. This is the essence of the data minimisation principle.
The idea is simple: only collect and process data that’s strictly required for the purpose at hand. Requesting a full ID , including information that’s not needed to verify identity, is not a proportionate measure.
In this case, the user had already provided their game identifiers and had written from an email address that could reasonably be linked to their account. Therefore, the company should have accepted that as valid identification.
This is a common mistake many businesses make: thinking that asking for more data is “safer”, when in fact it can be illegal if there’s no valid justification.
At Lawwwing, we help businesses manage these kinds of user requests securely and without asking for more data than necessary. This helps avoid costly mistakes — and fines.
Crema Games also failed to respond to the AEPD within the required deadline when the authority contacted them for information. If you receive an official request from the AEPD, you must respond within the legal timeframe with no excuses.
This should serve as a wake-up call for businesses: deadlines matter. Not replying to the AEPD on time can lead to further financial fines.
With Lawwwing, you won’t miss a single deadline. Our platform notifies you and helps you stay compliant, so you can avoid sanctions.
After reviewing the facts, the AEPD concluded that Crema Games had breached Article 15 of the GDPR by not properly granting the user’s right of access. The authority also noted the excessive identity verification requirements and the failure to respond within the established timeframe.
The fine imposed on Crema Games was €5,000, sending a clear message: if you run a business, a website, or collect personal data, you must respect the rights of your users — and comply with the rules.
This case offers three important lessons for any business with a website, app, or customer data:
Failing to do any of the above can result in significant fines.
Here are some simple tips:
If you’re unsure how to implement these practices — or if you want to handle them with confidence — Lawwwing makes it easy. Our platform is designed to help you stay compliant without the hassle.
The Crema Games fine is a reminder that data protection isn’t just a legal obligation: it’s essential to building digital trust. Complying with the GDPR doesn’t have to be complicated if you understand the key principles and use tools that streamline compliance.
In a digital world where personal information is increasingly valuable, being a responsible data handler is no longer optional , it’s a competitive advantage.
