News

Source : PS-00395-2021

👁️ Facts:

In response to negative reviews left by customers on Google, a Spanish café published the personal data of its former employee:

·       Response to negative reviews:

• 📢 The company identified the reviewer as a friend of the former employee.
• 🔍 It disclosed personal information such as her full name and details about her disciplinary actions (dismissal, suspension of salary for "serious and very serious" misconduct).

·       Attempt to defend the company’s reputation:

• 🛡️ The goal was to justify the negative reviews by implying they came from a circle of acquaintances of the former employee.
• ⚠️ The company tried to discredit the former employee and her connections to protect its public image.

💼 The former employee filed a complaint with the AEPD.

⚠️ Violations Identified:
1️⃣ Breach of the Duty of Confidentiality (Article 5.1.f of the GDPR):

Failure to maintain the security and confidentiality of personal data.

2️⃣ Violation of Lawful Processing (Article 6.1.a of the GDPR):

Data was processed without consent or any other legitimate legal basis.

💸 Consequences :

• 🗓️ April 28, 2022:
• Administrative fine: €1,500.
• Requirement: Remove the personal data from the comments.
• Corrective measures: Implement actions to ensure compliance.