{"id":7654,"date":"2025-04-08T16:58:57","date_gmt":"2025-04-08T15:58:57","guid":{"rendered":"https:\/\/lawwwing.com\/?p=7654"},"modified":"2025-04-08T17:04:26","modified_gmt":"2025-04-08T16:04:26","slug":"5000-fine-mishandling-a-data-access-request","status":"publish","type":"post","link":"https:\/\/lawwwing.com\/en\/5000-fine-mishandling-a-data-access-request\/","title":{"rendered":"You think DSAR isn\u2019t a big deal? Try a \u20ac5,000 fine"},"content":{"rendered":"\n

<\/p>\n\n\n\n

Crema Games<\/strong>, the company known for developing the video game Temtem<\/strong><\/em>, has been fined \u20ac5,000 <\/strong>by the Spanish Data Protection Authority (AEPD).<\/strong> Why? For mishandling a user\u2019s request to access their personal data<\/strong>.<\/p>\n\n\n\n

In this article, we explain \u2014 in simple terms \u2014 what happened, what mistakes the company made, and how you can avoid the same issues in your own business if you run a website or work in a digital company.<\/p>\n\n\n\n

You can read the full decision here<\/a>.<\/p>\n\n\n\n

<\/div>\n\n\n\n

How it started?: a personal data access request<\/h2>\n\n\n\n

It all began when a user contacted Crema Games to exercise their right of access<\/strong> (under Article 15 of the GDPR<\/a>). The user wanted to know if Crema Games<\/strong> was processing their personal data<\/strong> and, if so, to receive a copy of it, understand what it was being used for<\/strong>, and if it had been shared with others.<\/strong><\/p>\n\n\n\n

The request was made via email. The user included identifiers linked to their game account and later sent a censored version of their ID documen<\/strong>t, hiding sensitive data such as the photo and ID number.<\/p>\n\n\n\n

However, Crema Games replied that this form of ID was not valid <\/strong>and that they required a full copy of the user\u2019s identification document<\/strong>. This was the first red flag: the AEPD considered this demand excessive and not in line with the data minimisation principle<\/strong>.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
<\/div>\n\n\n\n

First mistake: asking for more data than necessary<\/h2>\n\n\n\n

The AEPD ruled that asking for a full copy of an ID is not necessary if there are already reasonable ways to identify the person<\/strong>. In fact, the law is clear: organisations must only request and process the minimum data needed<\/strong>; no more, no less. This is the essence of the data minimisation principle<\/strong>.<\/p>\n\n\n\n

The idea is simple: only collect and process data that\u2019s strictly required<\/strong> for the purpose at hand. Requesting a full ID , including information that\u2019s not needed to verify identity<\/strong>, is not a proportionate measure.<\/p>\n\n\n\n

In this case, the user had already provided their game identifiers and had written from an email address that could reasonably be linked to their account. Therefore, the company should have accepted that as valid identification.<\/strong><\/p>\n\n\n\n

This is a common mistake many businesses make: thinking that asking for more data is \u201csafer\u201d, when in fact it can be illegal<\/strong> if there\u2019s no valid justification.<\/p>\n\n\n\n

At Lawwwing<\/strong>, we help businesses manage these kinds of user requests <\/a>securely and without asking for more data than necessary. This helps avoid costly mistakes \u2014 and fines.<\/p>\n\n\n\n

<\/div>\n\n\n\n

Second mistake: missing deadlines<\/h2>\n\n\n\n

Crema Games<\/strong> also failed to respond <\/strong>to the AEPD within the required deadline<\/strong> when the authority contacted them for information. If you receive an official request from the AEPD, you must respond within the legal timeframe with no excuses.<\/p>\n\n\n\n

This should serve as a wake-up call for businesses: deadlines matter<\/strong>. Not replying to the AEPD on time can lead to further financial fines.<\/strong><\/p>\n\n\n\n

With Lawwwing<\/strong><\/a>, you won\u2019t miss a single deadline. Our platform notifies you and helps you stay compliant, so you can avoid sanctions.<\/p>\n\n\n\n

<\/div>\n\n\n\n

The AEPD\u2019s resolution and the fine<\/h2>\n\n\n\n

After reviewing the facts, the AEPD concluded that Crema Games had breached Article 15 of the GDPR<\/strong> by not properly granting the user\u2019s right of access. The authority also noted the excessive identity verification requirements and the failure to respond within the established timeframe.<\/strong><\/p>\n\n\n\n

The fine imposed on Crema Games was \u20ac5,000<\/strong>, sending a clear message: if you run a business, a website, or collect personal data, you must respect the rights of your users \u2014 and comply with the rules.<\/p>\n\n\n\n

<\/div>\n\n\n\n

Key takeaways for tech and digital companies<\/h2>\n\n\n\n

This case offers three important lessons<\/strong> for any business with a website, app, or customer data:<\/p>\n\n\n\n