Facebook was fined €1.2 million by the Spanish Data Protection Agency (‘AEPD’) for a number of infringements of the Spanish Data Protection Act.

The AEPD investigated Facebook to confirm whether it was complying with Spanish data protection law. It found that Facebook breached domestic law by failing to obtain users’ express consent to process sensitive data for advertising purposes and for collecting data without properly informing users how it would be used.

Facebook had been profiling users based on sensitive personal data such as religious and political beliefs, and then offering advertising based on those beliefs. Facebook, however, had not obtained express consent to use the data for those purposes, instead it had simply provided generic examples of the data it collected and for what purposes.

The AEPD also criticised Facebook for collecting the data of users when browsing third-party sites without making this clear, allowing users aged 13 to register with Facebook without obtaining the parent or guardian’s consent and retaining data longer than required for its original purpose.

The fine is one of a number that Facebook has received from European Data Supervisory Authorities this year.

Click here to read the AEPD’s press release.