AEPD (Spain) - PS/00367/2019: Difference between revisions

Latest revision as of 14:32, 13 December 2023

AEPD - PS/00367/2019

Authority:	AEPD (Spain)
Jurisdiction:	Spain
Relevant Law:	Article 5(1)(f) GDPR Article 83(5)(a) GDPR Article 58(2) GDPR
Type:	Complaint
Outcome:	Upheld
Started:
Decided:	n/a
Published:	21. 2.2020
Fine:	2.500 €
Parties:	Anoymous Vs. ESPAÑA(Spanish far-right political party.
National Case Number/Name:	PS/00367/2019
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Spanish
Original Source:	AEPD (in es)
Initial Contributor:	n/a

The AEPD issued a reprimand to the Spanish far-right political party VOX. The data controller had sent an email without blind copying, to the members of that political party, infringing Article 5(1)(f) GDPR (integrity and confidentiality principle).

English Summary

Facts

The AEPD examined a complaint submitted against the political party VOX. The data controller had sent an email without blind copying, to the affiliates of the said political party. Following the filing of the complaint, the data controller acknowledged the facts and implemented the necessary security measures.

Dispute

Is the unintentionality and the adoption of measures to remedy the infringing conduct relevant for the fine reduction?

Holding

The AEPD ruled that the sending of email without Bcc: the email recipients constituted a violation of the principle of integrity and confidentiality (Article 5(1)(f) GDPR). Regarding the fining, the authority decided to issue a warning sanction instead of a fine, although the sanction is still mentionning that the infringement at stake is subject to a fine according to Article 83.5 GDPR, in the lights of Recital (148) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the **Spanish** original. Please refer to the **Spanish** original for more details.

to be completed

@@ Line 9: / Line 9: @@
 <!--Information about the decision-->
-|Case_Number_Name=PS/00406/2019
+|Case_Number_Name=PS/00367/2019
 |ECLI=n/a
 |Original_Source_Name_1=AEPD
-|Original_Source_Link_1=https://www.aepd.es/es/documento/ps-00406-2019.pdf
+|Original_Source_Link_1=https://www.aepd.es/es/documento/ps-00367-2019.pdf
 |Original_Source_Language_1=Spanish
 |Original_Source_Language__Code_1=es
@@ Line 35: / Line 35: @@
 |GDPR_Article_2=Article 83(5)(a) GDPR
 |GDPR_Article_Link_2=Article 83 GDPR#5a
-|GDPR_Article_3=
+|GDPR_Article_3=Article 58(2) GDPR
-|GDPR_Article_Link_3=
+|GDPR_Article_Link_3=Article 83 GDPR#5a
 |GDPR_Article_4=
 |GDPR_Article_Link_4=
@@ Line 72: / Line 72: @@
 |GDPR_Article_Link_20=
-|Party_Name_1=Anoymous Vs. Electric Renting Groups, S.L
+|Party_Name_1=Anoymous Vs. ESPAÑA(Spanish far-right political party.
 |Party_Link_1=
 |Party_Name_2=
@@ Line 82: / Line 82: @@
 |Party_Name_5=
 |Party_Link_5=
+}}
-n/a
+The AEPD issued a reprimand to the Spanish far-right political party VOX. The data controller had sent an email without blind copying, to the members of that political party, infringing Article 5(1)(f) GDPR (integrity and confidentiality principle).
-| n/a}}
-The APED fined 2.500 € a data controller for sending advertisement email without blind carbon copy (Bcc) the email recipients. By disclosing the email addresses of the recipient, the company violated the principle of integrity and confidentiality – Article 5(1)(f) GDPR-.
 ==English Summary==
 ===Facts===
-A citizen filed a complaint with the AEPD against Electric Renting Groups, S.L for sending an advertisement email and disclosing the recipients of this email. Indeed, the company, which acted as a data controller, sent the email without confining the dozens of email recipients in blind carbon copy (Bcc:).
+The AEPD examined a complaint submitted against the political party VOX. The data controller had sent an email without blind copying, to the affiliates of the said political party. Following the filing of the complaint, the data controller acknowledged the facts and implemented the necessary security measures.
-The AEPD informed the controller about the complaint and give them 1 month to reply.
-After not obtaining any reply from the controller, the AEPD agreed to initiate investigations against the data controller for the alleged infringement of Article 5(1)(f) GDPR, the principle of integrity and confidentiality. The AEPD gave the controller another 10 days to reply to the allegations.
-The controller failed to reply to the AEPD.
 ===Dispute===
-Does the disclosure of dozens email addresses constitute a GDPR violation?
+Is the unintentionality and the adoption of measures to remedy the infringing conduct relevant for the fine reduction?
 ===Holding===
-The AEPD ruled that the sending of email without Bcc: the email recipients constituted a violation of the principle of integrity and confidentiality (Article 5(1)(f) GDPR), as well as the principle of proactive responsibility of the data controller.
+The AEPD ruled that the sending of email without Bcc: the email recipients constituted a violation of the principle of integrity and confidentiality (Article 5(1)(f) GDPR). Regarding the fining, the authority decided to issue a warning sanction instead of a fine, although the sanction is still mentionning that the infringement at stake is subject to a fine according to Article 83.5 GDPR, in the lights of Recital (148) GDPR.
-Consequently, the APED decided to issue a fine of 2.500 € for the violation of the principle of integrity and confidentiality, pursuant to Article 83(5)(a) GDPR.
 ==Comment==