News

🇪🇸 Source: PS-00238-2024

👕👗 Facts:
A former employee of a clothing brand requested information about their payslip for July 2022.
In response, the employer sent an email containing a PDF that included not only the requested payslip but also the payslips of 446 other employees.

📋 Investigation by the AEPD (Spanish Data Protection Authority):
The AEPD identified several violations:

1️⃣ Violation of Article 5 1 F of GDPR:

• Failure to ensure confidentiality and integrity of employees’ personal data.
• Data was exposed to an unauthorized third party.

2️⃣ Violation of Article 32-1 of GDPR:

• Lack of appropriate technical and organizational measures to secure the data.

📉 Consequences:

• 💸 Administrative Fine: Initially €450,000, reduced to €270,000.
  (Reduction granted under Spanish law if the responsible party promptly pays and acknowledges responsibility.)
• 🛑 Public Sanction: Damage to reputation.