News

🔎 Confidentiality broken in an internal investigation protocol = €120,000 fine.

Source: PS 0505-2024

The Spanish regulator, AEPD has fined a company €120,000, for passing on a report revealing the identity of complainants in an investigation procedure for moral harassment.

📌 Facts:
In July 2024, employees reported harassment via an internal protocol.

But... the company sent a report including the resolutions (with names, first names, positions) to:
- The entire works council,
- Several employees not concerned (a total of 15 people).

As a result, the confidentiality of the complainants was compromised, leading one of the victims to take sick leave due to an anxiety attack.

⚖️ Legal basis:
Violation of Article 5.1.f) of the GDPR → principle of confidentiality:
“Data must be processed in such a way as to guarantee adequate security [...] against unauthorized disclosure.”

💥 Initial sanction:
- €200,000 (regulatory basis: art. 83.5.a GDPR)
- Reduced to €120,000 after:
o Acknowledgement of liability
o Advance payment

🛑 Gravity of the act:
- The processing concerned sensitive data in a conflict context.
- The company admitted that confidentiality had not been respected in the procedure.

🔐 Confidentiality is not an option.
Even less so when dealing with sensitive data in an HR context.
This case is a reminder that: 
➡️ Protecting complainants must be at the heart of internal processes.
➡️ The GDPR also applies to HR, unions, committees.
➡️ Negligence in disseminating internal information can be costly... humanly and legally.