News

📢 GDPR fine for misuse of professional email addresses

Source: PS/00117/2022
Spain, AEPD

A €2,000 fine was imposed by the AEPD on a works council member for sharing a colleague’s professional contact details with third parties despite their explicit objection.

🔍 Complaint context

A works council member repeatedly shared emails containing another member’s name and professional email address with external parties, including unions and union affiliates — despite the recipient’s objections.

➡️ The complainant had explicitly objected multiple times (emails dated January 22, 28, and February 18, 2021) to having their email address shared outside the committee.

⚖️ Violation: Article 6 of the GDPR

The processing (i.e., email sharing) was deemed unlawful because:

• There was no valid legal basis for the data sharing,
• The complainant had clearly withdrawn consent,
• The communication could have been handled differently, e.g., via BCC or a limited distribution list.

📌 The argument that the purpose was “union-related” or “internal to the company” was rejected because:

• Not all recipients were part of the committee.
• The shared data was not strictly necessary for the union-related purpose.

💸 Penalty

• Amount: €2,000
• Reason: Serious infringement of Article 6 GDPR (processing without lawful basis)
• Aggravating factors: Clear intentionality, lack of diligence despite multiple warnings
• Mitigating factors: None noted

⚖️ The authority reaffirmed:
internal or union-related purposes do not justify excessive or non-consensual processing of personal data.

💬 Key takeaway:
Respecting someone’s objection to the use of their personal data — even in a professional setting — is a legal obligation, not a courtesy.